Launching adobe v.20200522
Launching allowedenum v.20200511
Launching appassoc v.20200515
Launching appcompatflags v.20200525
Launching appkeys v.20200517
Launching applets v.20200525
Launching apppaths v.20200511
Launching appspecific v.20200515
Launching appx v.20200427
Launching arpcache v.20200515
Launching attachmgr v.20200525
Launching cached v.20200525
adobe v.20200522
(NTUSER.DAT) Gets user's Adobe app cRecentFiles values

Could not access Software\Adobe\Adobe Acrobat\\AVGeneral\cRecentFiles

Could not access Software\Adobe\Acrobat Reader\\AVGeneral\cRecentFiles

----------------------------------------
allowedenum v.20200511
(NTUSER.DAT, Software) Extracts AllowedEnumeration values to determine hidden special folders

Software\Microsoft\Windows\CurrentVersion\Explorer\AllowedEnumeration not found.
Microsoft\Windows\CurrentVersion\Explorer\AllowedEnumeration not found.
----------------------------------------
appassoc v.20200515
- Gets contents of user's ApplicationAssociationToasts key

Software\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts not found.
----------------------------------------
appcompatflags v.20200525
(NTUSER.DAT, Software) Extracts AppCompatFlags for Windows.


Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted
  C:\Users\IEUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VYV2J9YG\TreeSizeFreeSetup[1].exe
----------------------------------------
appkeys v.20200517
(NTUSER.DAT, Software) Extracts AppKeys entries.

----------------------------------------
applets v.20200525
(NTUSER.DAT) Gets contents of user's Applets key

Applets
Software\Microsoft\Windows\CurrentVersion\Applets
LastWrite Time 2015-09-21 09:48:32Z

Software\Microsoft\Windows\CurrentVersion\Applets\Paint\Recent File List not found.

Software\Microsoft\Windows\CurrentVersion\Applets\Regedit
LastWrite Time 2015-09-23 11:04:18Z
RegEdit LastKey value -> Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Setup\11.0
----------------------------------------
apppaths v.20200511
(NTUSER.DAT,Software) Gets content of App Paths subkeys

----------------------------------------
Software\Microsoft\IntelliPoint\AppSpecific not found.
----------------------------------------
appx v.20200427
(NTUSER.DAT, USRCLASS.DAT) Checks for persistence via Universal Windows Platform Apps

----------------------------------------
arpcache v.20200515
(NTUSER.DAT) Retrieves CurrentVersion\App Management\ARPCache entries

Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache not found.
----------------------------------------
attachmgr v.20200525
(NTUSER.DAT) Checks user's keys that manage the Attachment Manager functionality

Software\Microsoft\Windows\CurrentVersion\Policies\Associations not found.

Software\Microsoft\Windows\CurrentVersion\Policies\Attachments not found.

----------------------------------------
cached v.20200525
(NTUSER.DAT) Gets cached Shell Extensions from NTUSER.DAT hive

Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached
LastWrite Time 2021-01-14 07:28:17Z

2015-09-21 09:17:33Z  First Load: {D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D} (IShellIconOverlayIdentifier)
2015-09-21 09:17:33Z  First Load: {4E77131D-3629-431C-9818-C5679DC83E81} (IShellIconOverlayIdentifier)
2015-09-21 09:17:33Z  First Load: {08244EE6-92F0-47F2-9FC9-929BAA2E7235} (IShellIconOverlayIdentifier)
2015-09-21 09:21:11Z  First Load: {DFFACDC5-679F-4156-8947-C5C76BC0B67F} (IDelegateFolder)
2015-09-21 09:21:11Z  First Load: {896664F7-12E1-490F-8782-C0835AFD98FC} (IDelegateFolder)
2015-09-21 09:21:14Z  First Load: {D34A6CA6-62C2-4C34-8A7C-14709C1AD938} (IDelegateFolder)
2015-09-21 09:21:15Z  First Load: {871C5380-42A0-1069-A2EA-08002B30309D} (IShellFolder)
2015-09-21 09:21:16Z  First Load: {C2B136E2-D50E-405C-8784-363C582BF43E} (IDelegateFolder)
2015-09-21 09:21:17Z  First Load: {ED228FDF-9EA8-4870-83B1-96B02CFE0D52} (IShellFolder)
2015-09-21 09:21:17Z  First Load: {1F3427C8-5C10-4210-AA03-2EE45287D668} (IShellFolder)
2015-09-21 09:21:19Z  First Load: {F02C1A0D-BE21-4350-88B0-7367FC96EF3C} (IShellFolder)
2015-09-21 09:21:19Z  First Load: {14074E0B-7216-4862-96E6-53CADA442A56} (IExtractIconW)
2015-09-21 09:21:24Z  First Load: {2227A280-3AEA-1069-A2DE-08002B30309D} (IShellFolder)
2015-09-21 09:23:58Z  First Load: {9C73F5E5-7AE7-4E32-A8E8-8D23B85255BF} (IShellFolder)
2015-09-21 09:24:04Z  First Load: {40DD6E20-7C17-11CE-A804-00AA003CA9F6} (IShellCopyHookW)
2015-09-21 09:44:39Z  First Load: {11DBB47C-A525-400B-9E80-A54615A090C0} (IExecuteCommand)
2015-09-21 09:44:39Z  First Load: {35786D3C-B075-49B9-88DD-029876E11C01} (IDelegateFolder)
2015-09-21 09:44:39Z  First Load: {9113A02D-00A3-46B9-BC5F-9C04DADDD5D7} (IDelegateFolder)
2015-09-21 09:44:39Z  First Load: {B155BDF8-02F0-451E-9A26-AE317CFD7779} (IDelegateFolder)
2015-09-21 09:44:39Z  First Load: {CC55EE92-FE67-43C9-95E7-E646918A4A04} (IExplorerCommand)
2015-09-21 09:46:30Z  First Load: {2854F705-3548-414C-A113-93E27C808C85} (IContextMenu)
2015-09-21 09:46:31Z  First Load: {7B4A83B6-F704-4B77-8E3D-C6087E3A21D2} (IExplorerCommandState)
2015-09-21 09:46:38Z  First Load: {FF393560-C2A7-11CF-BFF4-444553540000} (IShellFolder)
2015-09-21 09:47:28Z  First Load: {DAF95313-E44D-46AF-BE1B-CBACEA2C3065} (IShellFolder)
2015-09-21 09:47:28Z  First Load: {04731B67-D933-450A-90E6-4ACD2E9408FE} (IDelegateFolder)
2015-09-21 09:47:29Z  First Load: {BD7A2E7B-21CB-41B2-A086-B309680C6B7E} (IShellFolder)
2015-09-21 09:47:29Z  First Load: {9E175B8B-F52A-11D8-B9A5-505054503030} (IDBProperties)
2015-09-21 09:47:29Z  First Load: {B2952B16-0E07-4E5A-B993-58C52CB94CAE} (IShellFolder)
2015-09-21 09:47:29Z  First Load: {11016101-E366-4D22-BC06-4ADA335C892B} (IShellFolder)
2015-09-21 09:47:48Z  First Load: {596AB062-B4D2-4215-9F74-E9109B0A8153} (IContextMenu)
2015-09-21 09:47:48Z  First Load: {474C98EE-CF3D-41F5-80E3-4AAB0AB04301} (IContextMenu)
2015-09-21 09:47:48Z  First Load: {F81E9010-6EA4-11CE-A7FF-00AA003CA9F6} (IContextMenu)
2015-09-21 09:47:48Z  First Load: {888DCA60-FC0A-11CF-8F0F-00C04FD7D062} (IDropTarget)
2015-09-21 09:47:48Z  First Load: {85BBD920-42A0-1069-A2E4-08002B30309D} (IContextMenu)
2015-09-21 09:47:48Z  First Load: {9E56BE61-C50F-11CF-9A2C-00A0C90A90CE} (IDropTarget)
2015-09-21 09:47:49Z  First Load: {ECF03A32-103D-11D2-854D-006008059367} (IDropTarget)
2015-09-21 09:47:49Z  First Load: {9E56BE60-C50F-11CF-9A2C-00A0C90A90CE} (IDropTarget)
2015-09-21 09:48:39Z  First Load: {BB06C0E4-D293-4F75-8A90-CB05B6477EEE} (IShellFolder)
2015-09-21 09:48:42Z  First Load: {F0152790-D56E-4445-850E-4F3117DB740C} ({000214E9-0000-0000-C000-000000000046})
2015-09-21 09:49:45Z  First Load: {A38B883C-1682-497E-97B0-0A3A9E801682} ({886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99})
2015-09-21 09:52:01Z  First Load: {7007ACC7-3202-11D1-AAD2-00805FC1270E} (IShellFolder)
2015-09-21 09:53:37Z  First Load: {36EEF7DB-88AD-4E81-AD49-0E313F0C35F8} (IShellFolder)
2015-09-22 05:24:06Z  First Load: {0BF754AA-C967-445C-AB3D-D8FDA9BAE7EF} (IContextMenu)
2015-09-22 05:24:06Z  First Load: {6B9228DA-9C15-419E-856C-19E768A13BDC} (IContextMenu)
2015-09-22 05:24:15Z  First Load: {C555438B-3C23-4769-A71F-B6D3D9B6053A} (IShellFolder)
2015-09-22 05:24:15Z  First Load: {C6D7AB70-3D91-433D-8D9E-E1B52035C47F} ({05B2F74E-2712-46BA-BCA3-F65A46BF0E00})
2015-09-21 22:21:42Z  First Load: {8E908FC9-BECC-40F6-915B-F4CA0E70D03D} (IShellFolder)
2015-09-21 22:21:55Z  First Load: {1D27F844-3A1F-4410-85AC-14651078412D} (IContextMenu)
2015-09-21 22:30:30Z  First Load: {0A88C858-7D0C-4549-9499-7DB05F0CB0BF} (IExplorerCommand)
2015-09-21 22:30:30Z  First Load: {1A0391BF-9564-4294-B0A4-06C298929EF9} (IExplorerCommand)
2015-09-22 08:08:32Z  First Load: {D6791A63-E7E2-4FEE-BF52-5DED8E86E9B8} (IContextMenu)
2015-09-22 08:08:32Z  First Load: {59099400-57FF-11CE-BD94-0020AF85B590} (IContextMenu)
2015-09-22 08:10:26Z  First Load: {D20EA4E1-3957-11D2-A40B-0C5020524153} (IShellFolder)
2015-09-22 08:10:26Z  First Load: {BD84B380-8CA2-1069-AB1D-08000948F534} (IShellFolder)
2015-09-22 17:44:02Z  First Load: {F81E9010-6EA4-11CE-A7FF-00AA003CA9F6} ({000214E9-0000-0000-C000-000000000046})
2015-09-22 17:44:02Z  First Load: {1F2E5C40-9550-11CE-99D2-00AA006E086C} ({000214E9-0000-0000-C000-000000000046})
2015-09-22 17:44:02Z  First Load: {4A7DED0A-AD25-11D0-98A8-0800361B1103} ({000214E9-0000-0000-C000-000000000046})
2015-09-22 17:44:02Z  First Load: {55B3A0BD-4D28-42FE-8CFB-FA3EDFF969B8} ({000214E9-0000-0000-C000-000000000046})
2015-09-22 17:44:02Z  First Load: {596AB062-B4D2-4215-Launching cmdproc v.20200515
Launching comdlg32 v.20200517
Launching compdesc v.20200511
Launching DDO v.20140414
Launching disablemru v.20190924
Launching environment v.20200512
Launching featureusage v.20200511
[*] Launching heidisql v.20201227
Launching identities v.20200525
Launching injectdll64 v.20200427
Launching jumplistdata v.20200517
Launching knowndev v.20200515
Launching listsoft v.20200517
Launching load v.20200517
Launching logonstats v.20200517
Launching lxss v.20200511
Launching mixer v.20200517
Launching mmc v.20200517
Launching mmo v.20200517
Launching mndmru v.20200517
Launching mp2 v.20200526
9F74-E9109B0A8153} ({000214E9-0000-0000-C000-000000000046})
2015-09-22 17:44:02Z  First Load: {7988B573-EC89-11CF-9C00-00AA00A14F56} ({000214E9-0000-0000-C000-000000000046})
2015-09-22 17:44:02Z  First Load: {ECCDF543-45CC-11CE-B9BF-0080C87CDBA6} ({000214E9-0000-0000-C000-000000000046})
2015-09-22 17:44:02Z  First Load: {85BBD920-42A0-1069-A2E4-08002B30309D} ({000214E9-0000-0000-C000-000000000046})
2015-09-22 17:44:02Z  First Load: {7EFA68C6-086B-43E1-A2D2-55A113531240} ({000214E9-0000-0000-C000-000000000046})
2015-09-22 18:49:23Z  First Load: {FBF23B40-E3F0-101B-8488-00AA003E56F8} ({00021500-0000-0000-C000-000000000046})
2015-09-23 09:45:08Z  First Load: {E7E4BC40-E76A-11CE-A9BB-00AA004AE837} (IShellFolder)
2015-09-23 09:45:08Z  First Load: {E88DCCE0-B7B3-11D1-A9F0-00AA0060FA31} (IShellFolder)
2015-09-23 09:45:49Z  First Load: {2559A1F3-21D7-11D4-BDAF-00C04F60B9F0} (IContextMenu)
2015-09-23 10:14:38Z  First Load: {7B81BE6A-CE2B-4676-A29E-EB907A5126C5} (IShellFolder)
2015-09-23 11:16:58Z  First Load: {9343812E-1C37-4A49-A12E-4B2D810D956B} (IShellFolder)
2015-09-23 11:17:05Z  First Load: {C7657C4A-9F68-40FA-A4DF-96BC08EB3551} ({E357FCCD-A995-4576-B01F-234630154E96})
2019-08-29 11:03:59Z  First Load: {C58C4893-3BE0-4B45-ABB5-A63E4B8C8651} (IShellFolder)
2019-08-29 11:03:59Z  First Load: {D8F0F5E7-11C5-4E95-BBFF-0F110C0221C4} ({05B2F74E-2712-46BA-BCA3-F65A46BF0E00})
2019-08-29 11:32:41Z  First Load: {7BD29E01-76C1-11CF-9DD0-00A0C9034933} (IShellFolder)
2019-08-29 11:34:15Z  First Load: {8D80504A-0826-40C5-97E1-EBC68F953792} ({886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99})
2021-01-14 06:24:39Z  First Load: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} ({AC60F6A0-0FD9-11D0-99CB-00C04FD64497})
2021-01-14 06:27:00Z  First Load: {A3C3D402-E56C-4033-95F7-4885E80B0111} (IDelegateFolder)
2021-01-14 06:57:09Z  First Load: {BD472F60-27FA-11CF-B8B4-444553540000} (IContextMenu)
2021-01-14 07:28:17Z  First Load: {513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8} ({000214E9-0000-0000-C000-000000000046})
2021-01-14 07:28:17Z  First Load: {7444C719-39BF-11D1-8CD9-00C04FC29D45} ({000214E9-0000-0000-C000-000000000046})
2021-01-14 07:28:17Z  First Load: {3EA48300-8CF6-101B-84FB-666CCB9BCD32} ({000214E9-0000-0000-C000-000000000046})
----------------------------------------
cmdproc v.20200515
(NTUSER.DAT) Autostart - get Command Processor\AutoRun value from NTUSER.DAT hive

Software\Microsoft\Command Processor
LastWrite Time 2015-09-21 09:17:32Z
AutoRun value not found.
----------------------------------------
comdlg32 v.20200517

Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32
LastWrite Time 2019-08-29 11:49:54Z
CIDSizeMRU
LastWrite: 2019-08-29 11:50:05Z
Note: All value names are listed in MRUListEx order.

  iexplore.exe
  NOTEPAD.EXE
  mmc.exe

FirstFolder
LastWrite time: 2015-09-22 08:14:05Z
Note: All value names are listed in MRUListEx order.

  C:\Windows\system32\mmc.exe c:\drivers 

LastVisitedPidlMRU
LastWrite time: 2019-08-29 11:50:05Z
Note: All value names are listed in MRUListEx order.

  iexplore.exe - Users

OpenSavePidlMRU
LastWrite time: 2019-08-29 11:49:54Z
OpenSavePidlMRU\*
LastWrite Time: Thu Aug 29 11:50:05 2019
Note: All value names are listed in MRUListEx order.

  Users\agent.py
  Users\get-pip.py

OpenSavePidlMRU\py
LastWrite Time: Thu Aug 29 11:50:05 2019
Note: All value names are listed in MRUListEx order.

  Users\agent.py
  Users\get-pip.py


----------------------------------------
compdesc v.20200511
(NTUSER.DAT) Gets contents of user's ComputerDescriptions key

Software\Microsoft\Windows\CurrentVersion\Explorer\ComputerDescriptions not found.
----------------------------------------
DDO v.20140414
(NTUSER.DAT) Gets user's DeviceDisplayObjects key contents

Software\Microsoft\Windows NT\CurrentVersion\DeviceDisplayObjects not found.
----------------------------------------
disablemru v.20190924
(NTUSER.DAT, Software) Checks settings disabling user's MRUs

----------------------------------------
environment v.20200512
(System, NTUSER.DAT) Get environment vars from NTUSER.DAT & System hives

Environment
LastWrite Time: 2019-08-29 11:38:24Z

TEMP                      %USERPROFILE%\AppData\Local\Temp                  
TMP                       %USERPROFILE%\AppData\Local\Temp                  
----------------------------------------
featureusage v.20200511
(NTUSER.DAT) Extracts user's FeatureUsage data.

Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage not found.
----------------------------------------
[-] SOFTWARE\HeidiSQL not found.
[-] SOFTWARE\HeidiSQL\Servers not found.

----------------------------------------
identities v.20200525
(NTUSER.DAT) Extracts values from Identities key; NTUSER.DAT

Identities
LastWrite Time 2015-09-21 09:21:04Z

Identity Ordinal                         1                             
Migrated7                                1                             
Last Username                            Main Identity                 
Last User ID                             {A32463F1-EACB-4163-B08F-F74E5D25977C}
Identity Login                           622675                        
Default User ID                          {A32463F1-EACB-4163-B08F-F74E5D25977C}

----------------------------------------
injectdll64 v.20200427
(NTUSER.DAT, Software) Retrieve values set to weaken Chrome security

Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls not found.
Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls not found.
----------------------------------------
jumplistdata v.20200517
Gets contents of user's JumpListData key

Software\Microsoft\Windows\CurrentVersion\Search\JumpListData not found.
----------------------------------------
knowndev v.20200515
(NTUSER.DAT) Gets user's KnownDevices key contents

Software\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\KnownDevices not found.
----------------------------------------
listsoft v.20200517
(NTUSER.DAT) Lists contents of user's Software key

List the contents of the Software key in the NTUSER.DAT hive
file, in order by LastWrite time.

2021-05-18 10:24:42Z 	Microsoft
2021-01-14 06:25:05Z 	Cygwin
2015-09-22 18:52:20Z 	Sysinternals
2015-09-21 10:03:49Z 	AppDataLow
2015-09-21 09:17:37Z 	Winternals
2015-09-21 09:17:32Z 	Policies
----------------------------------------
load v.20200517
(NTUSER.DAT) Gets load and run values from user hive

load
Software\Microsoft\Windows NT\CurrentVersion\Windows
LastWrite Time 2015-09-21 09:17:33Z

load value not found.
run value not found.
----------------------------------------
logonstats v.20200517
Gets contents of user's LogonStats key

Software\Microsoft\Windows\CurrentVersion\Explorer\LogonStats not found.
----------------------------------------
lxss v.20200511
(NTUSER.DAT) Gets WSL config.

Software\Microsoft\Windows\CurrentVersion\Lxss not found.
----------------------------------------
mixer v.20200517
(NTUSER.DAT) Checks user's audio mixer settings

----------------------------------------
mmc v.20200517
(NTUSER.DAT) Get contents of user's MMC\Recent File List key

MMC - Recent File List
Software\Microsoft\Microsoft Management Console\Recent File List
LastWrite Time 2019-08-29 12:00:52Z
  File1 -> C:\Windows\system32\WF.msc
  File2 -> C:\Windows\system32\compmgmt.msc
----------------------------------------
mmo v.20200517
(NTUSER.DAT) Checks NTUSER for Multimedia\Other values [malware]

Software\Microsoft\Multimedia\Other not found.
Software\Microsoft\CTF\LangBarAddIn not found.
----------------------------------------
mndmru v.20200517
(NTUSER.DAT) Get contents of user's Map Network Drive MRU

Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU not found.
----------------------------------------
mp2 v.20200526
(NTUSER.DAT) Gets user's MountPoints2 key contents

MountPoints2
Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
LastWrite Time 2021-01-14 06:20:19Z

Remote Drives:
2021-01-14 06:20:19Z
  ##vboxsrv#share

Volumes:
2015-09-22 17:43:43Z
  {762f4ebc-60ea-11e5-83af-806e6f6e6963}
2015-09-21 22:21:32Z
  {8358fe6d-60fa-11e5-bb4a-806e6f6e6963}
2015-09-21 09:44:39Z
  {a5b8a980-608c-11e5-a266-806e6f6e6963}
  {a5b8a983-60Launching mpmru v.20200517
Launching  msoffice v.20200518
Launching muicache v.20200525
Launching nation v.20200517
Launching oisc v.20091125
Launching onedrivev.20200515
Launching osversion v.20200511
Launching outlook_homepage v.20201002
Launching pendinggpos v.20200427
Launching profiler v.20200525
Launching pslogging v.20200515
Launching psscript v.20200525
Launching putty v.20200515
Launching recentapps v.20200515
Launching recentdocs v.20200427
Launching run v.20200511
Launching runmru v.20200525
Launching runvirtual v.20200427
Launching searchscopes v.20200517
Launching 7-zip v.20210329
Launching shc v.20200427
Launching shellfolders v.20200515
Launching speech v.20200427
Launching sysinternals v.20080324
Launching tsclient v.20200518
8c-11e5-a266-806e6f6e6963}

Drives:
2015-09-21 09:19:50Z - CPC

Unique MAC Addresses:
80:6E:6F:6E:69:63

Analysis Tip: Correlate the Volume entries to those found in the MountedDevices
entries that begin with "\??\Volume".
----------------------------------------
mpmru v.20200517
(NTUSER.DAT) Gets user's Media Player RecentFileList values

Software\Microsoft\MediaPlayer\Player\RecentFileList not found.
----------------------------------------
msoffice v.20200518

----------------------------------------
muicache v.20200525
(NTUSER.DAT,USRCLASS.DAT) Gets EXEs from user's MUICache key

Software\Microsoft\Windows\ShellNoRoam\MUICache not found.

Local Settings\Software\Microsoft\Windows\Shell\MUICache not found.
----------------------------------------
nation v.20200517
(ntuser.dat) Gets region information from HKCU

Nation Information Check
Control Panel\International\Geo
LastWrite time: 2015-09-21 09:17:32Z

The Region value is : 244
The Country Is: United States
For more information please visit the link below:
https://msdn.microsoft.com/en-us/library/aa723531.aspx

----------------------------------------
oisc v.20091125
(NTUSER.DAT) Gets contents of user's Office Internet Server Cache

Office Version: 
Software\Microsoft\Office\\Common\Internet\Server Cache not found.
----------------------------------------
onedrive v.20200515
(NTUSER.DAT) Gets contents of user's OneDrive key

Software\Microsoft\OneDrive not found.
----------------------------------------
OSVersion
Software\Microsoft
LastWrite Time 2021-05-18 10:24:42Z

OSVersion value not found.
----------------------------------------
outlookhomepage v.20201002
(NTUSER.DAT, Software) Retrieve values set to attack Outlook WebView Homepage

Looking for webview homepage modifications. If this value is pointing
to a URL outside the corporate domain it may be a malicious site.

Looking for key values associated with security.
If you see:
[Example]  EnableRoamingFolderHomepages : 1
[Example]  NonDefaultStoreScript : 1
[Example]  EnableUnsafeClientMailRules : 1
You may have a security vulnerability that allows attackers to hijack the URL

----------------------------------------
pendinggpos v.20200427
NTUSER.DAT - Gets contents of user's PendingGPOs key

Software\Microsoft\IEAK\GroupPolicy\PendingGPOs not found.
----------------------------------------
profiler v.20200525
(NTUSER.DAT, System) Environment profiler information

Environment
LastWrite Time 2019-08-29 11:38:24Z

TEMP -> %USERPROFILE%\AppData\Local\Temp
TMP -> %USERPROFILE%\AppData\Local\Temp

----------------------------------------
pslogging v.20200515
(NTUSER.DAT, Software) Extracts PowerShell logging settings

Software\Policies\Microsoft\Windows\PowerShell not found.
Policies\Microsoft\Windows\PowerShell not found.
----------------------------------------
----------------------------------------
putty v.20200515
(NTUSER.DAT) Extracts the saved SshHostKeys for PuTTY.

Software\SimonTatham\PuTTY\SshHostKeys not found.

----------------------------------------
recentapps v.20200515
- Gets contents of user's RecentApps key

Software\Microsoft\Windows\CurrentVersion\Search\RecentApps not found.
----------------------------------------
recentdocs v.20200427
(NTUSER.DAT) Gets contents of user's RecentDocs key

RecentDocs
**All values printed in MRUList\MRUListEx order.
Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
LastWrite Time: 2021-01-14 06:48:06Z
  9 = Network and Internet
  14 = Downloads
  15 = agent.py
  13 = get-pip.py
  3 = System and Security
  12 = Troubleshooting
  5 = System32
  4 = eula.txt
  11 = 32Bit
  10 = Readme.txt
  8 = Display
  7 = Windows Update
  1 = Floppy Disk Drive (A:)
  6 = post-win-updates.ps1
  0 = OPENSSH.PS1
  2 = preprovisioner.ps1

Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.PS1
LastWrite Time 2015-09-21 10:07:13Z
MRUListEx = 2,0,1
  2 = post-win-updates.ps1
  0 = OPENSSH.PS1
  1 = preprovisioner.ps1

Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.py
LastWrite Time 2019-08-29 11:50:05Z
MRUListEx = 1,0
  1 = agent.py
  0 = get-pip.py

Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.txt
LastWrite Time 2015-09-23 09:46:19Z
MRUListEx = 0,1
  0 = eula.txt
  1 = Readme.txt

Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\Folder
LastWrite Time 2021-01-14 06:48:06Z
MRUListEx = 5,8,1,7,2,6,4,3,0
  5 = Network and Internet
  8 = Downloads
  1 = System and Security
  7 = Troubleshooting
  2 = System32
  6 = 32Bit
  4 = Display
  3 = Windows Update
  0 = Floppy Disk Drive (A:)

----------------------------------------
run v.20200511
(Software, NTUSER.DAT) [Autostart] Get autostart key contents from Software hive

Software\Microsoft\Windows\CurrentVersion\Run
LastWrite Time 2015-09-21 09:21:20Z
Software\Microsoft\Windows\CurrentVersion\Run has no values.
Software\Microsoft\Windows\CurrentVersion\Run has no subkeys.

Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run not found.

Software\Microsoft\Windows\CurrentVersion\RunOnce
LastWrite Time 2015-09-21 09:21:19Z
Software\Microsoft\Windows\CurrentVersion\RunOnce has no values.
Software\Microsoft\Windows\CurrentVersion\RunOnce has no subkeys.

Software\Microsoft\Windows\CurrentVersion\RunServices not found.

Software\Microsoft\Windows\CurrentVersion\RunServicesOnce not found.

Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run not found.

Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunOnce not found.

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run not found.

Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run not found.

Software\Microsoft\Windows\CurrentVersion\StartupApproved\Run not found.

Software\Microsoft\Windows\CurrentVersion\StartupApproved\Run32 not found.

Software\Microsoft\Windows\CurrentVersion\StartupApproved\StartupFolder not found.

----------------------------------------
runmru v.20200525
(NTUSER.DAT) Gets contents of user's RunMRU key

RunMru
Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
LastWrite Time 2021-01-14 06:24:58Z
MRUList = cba
a   F:\\1
b   powershell F:\\1
c   cmd F:\\1
----------------------------------------
runvirtual v.20200427
(NTUSER.DAT, Software) Gets RunVirtual entries

----------------------------------------
searchscopes v.20200517
- Gets contents of user's SearchScopes key

SearchScopes
Software\Microsoft\Internet Explorer\SearchScopes
DefaultScope: {0633EE93-D776-472f-A0FF-E1416B8B2E3A}

{0633EE93-D776-472f-A0FF-E1416B8B2E3A} [2015-09-23 11:16:01Z]
DisplayName: Bing

----------------------------------------
sevenzip v.20210329
- Gets records of histories from 7-Zip keys

Software\7-Zip not found.
Software\Wow6432Node\7-Zip not found.
----------------------------------------
shc v.20200427
(NTUSER.DAT) Gets SHC entries from user hive

Software\Microsoft\Windows\CurrentVersion\UFH\SHC not found.
----------------------------------------
shellfolders v.20200515
Gets user's shell folders values

Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
LastWrite Time 2015-09-21 09:21:12Z
StartUp folder : C:\Users\IEUser\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
LastWrite Time 2015-09-21 09:17:32Z
StartUp folder : %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
----------------------------------------
speech v.20200427
(NTUSER.DAT) Get values from user's Speech key

Software\Microsoft\Speech
----------------------------------------
SysInternals
Software\SysInternals
LastWrite Time 2015-09-22 18:52:20Z
BGInfo [2015-09-21 09:17:37Z]
  EulaAccepted: 1

Junction [2015-09-21 09:50:47Z]
  EulaAccepted: 1

SDelete [2015-09-22 18:52:20Z]
  EulaAccepted: 1

----------------------------------------
Launching tsclient v.20200518
(NTUSER.DAT) Displays contents of user's Terminal Server Client\Default key

Software\Microsoft\Terminal Server Client\Default not found.

Software\Microsoft\Terminal Server Client\Servers not found.
-----------------Launching typedpaths v.20200526
Launching typedurls v.20200526
Launching typedurlstime v.20200526
Launching uninstall v.20200525
Launching userassist v.20170204
Launching wc_shares v.20200515
Launching winrar v.20200526
Launching winscp v.20201227
Launching WinZip v.20200526
Launching wordwheelquery v.20200823
-----------------------
typedpaths v.20200526
(NTUSER.DAT) Gets contents of user's typedpaths key

Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths
LastWrite Time 2015-09-23 11:17:37Z

url1     C:\Users\IEUser\AppData       
----------------------------------------
typedurls v.20200526
(NTUSER.DAT) Returns contents of user's TypedURLs key.

TypedURLs
Software\Microsoft\Internet Explorer\TypedURLs
LastWrite Time 2021-01-14 07:13:35Z
  url1 -> http://192.168.178.253/adm
  url2 -> http://192.168.178.253/
  url3 -> http://10.10.0.8:8000/
  url4 -> 10.10.0.9:8000
  url5 -> https://bootstrap.pypa.io/get-pip.py
  url6 -> http://google.de/
  url7 -> https://www.python.org/getit
  url8 -> https://www.python.org/
  url9 -> http://go.microsoft.com/fwlink/?LinkId=69157
----------------------------------------
typedurlstime v.20200526
(NTUSER.DAT) Returns contents of user's TypedURLsTime key.

Software\Microsoft\Internet Explorer\TypedURLsTime not found.
----------------------------------------
uninstall v.20200525
(Software, NTUSER.DAT) Gets contents of Uninstall keys from Software, NTUSER.DAT hives

Uninstall
----------------------------------------
UserAssist
Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist
LastWrite Time 2015-09-21 09:21:16Z

{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}
2021-05-18 10:25:07Z
  C:\Users\IEUser\Desktop\RegistryChangesView.exe (1)
2021-01-14 07:46:55Z
  {D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\rundll32.exe (1)
2021-01-14 07:38:31Z
  {D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\WindowsPowerShell\v1.0\powershell.exe (7)
2021-01-14 07:36:27Z
  C:\Users\IEUser\Desktop\tools\registrychangesview\RegistryChangesView.exe (1)
2021-01-14 07:33:04Z
  {F38BF404-1D43-42F2-9305-67DE0B28FC23}\hh.exe (1)
2021-01-14 07:32:42Z
  {D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\cmd.exe (12)
2021-01-14 07:32:28Z
  {D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\taskmgr.exe (1)
2021-01-14 07:28:24Z
  C:\Users\IEUser\Desktop\tools\ProcessMonitor\Procmon.exe (1)
2021-01-14 06:45:05Z
  Microsoft.InternetExplorer.Default (19)
2021-01-14 06:25:57Z
  Microsoft.AutoGenerated.{3FF063FA-5909-6285-41A9-E4C7DF085FC5} (7)
2021-01-14 06:22:51Z
  {F38BF404-1D43-42F2-9305-67DE0B28FC23}\explorer.exe (8)
2019-08-29 11:59:29Z
  {D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\WF.msc (1)
2019-08-29 11:36:44Z
  {D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\msconfig.exe (1)
2019-08-29 11:35:31Z
  {D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\msiexec.exe (2)
2019-08-29 10:47:38Z
  {D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\control.exe (1)
2015-09-23 11:13:45Z
  {D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\wuapp.exe (16)
2015-09-23 11:03:59Z
  {F38BF404-1D43-42F2-9305-67DE0B28FC23}\regedit.exe (3)
2015-09-23 11:02:20Z
  {D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\SystemPropertiesComputerName.exe (2)
2015-09-23 10:13:50Z
  {D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\notepad.exe (12)
2015-09-23 09:48:26Z
  Microsoft.AutoGenerated.{5B29B9AE-8060-1960-9833-2F50C0175C01} (1)
2015-09-23 09:46:31Z
  C:\Users\IEUser\Desktop\compact.bat (2)
2015-09-21 22:30:38Z
  {D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\CompMgmtLauncher.exe (2)
2015-09-21 09:47:50Z
  {D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\WindowsPowerShell\v1.0\powershell_ise.exe (1)
2015-09-21 09:19:29Z
  Microsoft.Windows.GettingStarted (14)
  {D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\displayswitch.exe (13)
  Microsoft.Windows.RemoteDesktop (12)
  Microsoft.Windows.StickyNotes (11)
  {D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\SnippingTool.exe (10)
  {D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\calc.exe (9)
  {D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\mspaint.exe (8)
  {D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\xpsrchvw.exe (7)
  {D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\WFS.exe (6)
  {D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\magnify.exe (5)

Value names with no time stamps:
  UEME_CTLCUACount:ctor
  Microsoft.Windows.Shell.RunDialog
  Microsoft.Windows.ControlPanel
  {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\OpenSSH\bin\ssh-keygen.exe
  {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\OpenSSH\bin\mv.exe
  {F38BF404-1D43-42F2-9305-67DE0B28FC23}\SoftwareDistribution\Download\Install\EnableTask.exe
  C:\BGinfo\BGINFO.EXE
  D:\VBOXWINDOWSADDITIONS-X86.EXE
  {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Oracle\VirtualBox Guest Additions\VBoxDrvInst.exe
  {D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\SystemPropertiesAdvanced.exe
  {D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\rstrui.exe
  Microsoft.AutoGenerated.{935761F8-94E4-FFA7-A8C0-F1AB2CDEC750}
  {D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\msdt.exe
  Microsoft.Windows.ControlPanel.Taskbar
  {D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\cleanmgr.exe
  Microsoft.Windows.WindowsInstaller
  {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\JAM Software\TreeSize Free\unins000.exe
  {D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\wscript.exe
  {D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\slui.exe

{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}
2021-01-14 07:38:31Z
  {0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Accessories\Windows PowerShell\Windows PowerShell.lnk (4)
2021-01-14 06:45:05Z
  {9E3995AB-1F9C-4F13-B827-48B24B6C7174}\TaskBar\Internet Explorer.lnk (19)
2021-01-14 06:26:04Z
  {A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\Accessories\Command Prompt.lnk (5)
2021-01-14 06:25:57Z
  {0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Administrative Tools\Windows PowerShell Modules.lnk (7)
2021-01-14 06:22:51Z
  {9E3995AB-1F9C-4F13-B827-48B24B6C7174}\TaskBar\Windows Explorer.lnk (8)
2019-08-29 11:59:29Z
  {0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Administrative Tools\Windows Firewall with Advanced Security.lnk (1)
2019-08-29 11:36:44Z
  {0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Administrative Tools\System Configuration.lnk (1)
2015-09-23 11:13:45Z
  C:\ProgramData\Microsoft\Windows\Start Menu\Windows Update.lnk (16)
2015-09-23 09:48:26Z
  {0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\TreeSize Free\TreeSize Free.lnk (1)
2015-09-23 09:46:19Z
  C:\Users\IEUser\Desktop\eula.lnk (3)
2015-09-21 09:19:29Z
  {0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Accessories\Welcome Center.lnk (14)
  {0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Accessories\displayswitch.lnk (13)
  {0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Accessories\Remote Desktop Connection.lnk (12)
  {0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Accessories\Sticky Notes.lnk (11)
  {0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Accessories\Snipping Tool.lnk (10)
  {0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Accessories\Calculator.lnk (9)
  {0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Accessories\Paint.lnk (8)
  {0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\XPS Viewer.lnk (7)
  {0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Windows Fax and Scan.lnk (6)
  {A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\Accessories\Accessibility\Magnify.lnk (5)

Value names with no time stamps:
  UEME_CTLCUACount:ctor

----------------------------------------
wc_shares v.20200515
- Gets contents of user's WorkgroupCrawler/Shares subkeys

Software\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawler\Shares not found.
----------------------------------------
winrar v.20200526
(NTUSER.DAT) Get WinRAR\ArcHistory entries

Software\WinRAR\ArcHistory not found.
----------------------------------------
winscp v.20201227
(NTUSER.DAT) Gets user's WinSCP 2 data

Software\Martin Prikryl\WinSCP 2 not found.
----------------------------------------
winzip v.20200526
(NTUSER.DAT) Get WinZip extract and filemenu values

Software\Nico Mak Computing\WinZip not found.
----------------------------------------
wordwheelquery v.20200823
(NTUSER.DAT) Gets contents of user's WordWheelQuery key

Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery not found.
----------------------------------------
