Links

Anydesk
Process Hacker
dll detector
SS Tool
Activity Viewer
Search Everything
Browsing history viewer
USB Deview
Other ss guide
Luyten
USB Detector
Other USB Detector

1.​ C:\Users\%username%\AppData\Roaming\Microsoft\Windows\Recent

2.​C:\Users\%username%\AppData\Local\CrashDumps

3.​Powershell ISE - (Get-PSReadlineOption).HistorySavePath - Open text file

4.​ Computer\HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store

5.​Save to txt - HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts - Search

process hacker (for dlls injected)

6.​C:\$Recycle.Bin

7.​Look in latest.log for chat logs

8.​Check launcher_accounts.json in .minecraft for alts

Process Hacker

1.​ explorer.exe - pcaclient

2.​explorer.exe - file:/// * {"displayText"

3.​explorer.exe - \users\ - .exe / .jar

4.​SearchIndexer - file:c / .exe

5.​Check browser - download

6.​Check last activity viewer

7.​echo.ac/sgrm and follow instructions there

8.​csrss - :\

9.​Cdpu - ,"platform":"x_exe_path"},

10.​ Pcasvc - .exe or e,0a000000,Reason,00002100

 11.​ DPS - !! - .exe / downloads

CMD (run as admin)​

1.​ fsutil usn readjournal c: csv > AllTheJournal.txt

2.​fsutil usn readjournal c: csv | findstr /i /C:.exe >> client.txt

3.​fsutil usn readjournal c: csv | findstr /i /C:".pf" | findstr /i

/C:"0x80000200" > %userprofile%\Desktop\Deleted-PF.txt

4.​fsutil usn readjournal c: csv | findstr /i /c:.exe | findstr /i

/c:0x80000200 >> DeletedExes.txt

5.​fsutil usn deleteJournal /D C:

6.​fsutil usn queryJournal c:

7.​fsutil usn createJournal m=2147483648 a=1 C:

Private methods : ​
​
powershell Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass &&
powershell Invoke-Expression (Invoke-RestMethod
https://raw.githubusercontent.com/PureIntent/ScreenShare/main/RedLotusBam.ps1)
(You need to run cmd in admin mode)

Useful
●​ Win+r
C:$Recycle.Bin shell:recent prefetch %temp% %appdata%
%LOCALAPPDATA%\CrashDumps firewall.cpl
●​ Regedit
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bam\State\
UserSettings HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store

​ Programs
●​ System informer https://systeminformer.sourceforge.io/canary
●​ WinPrefetchview: https://www.nirsoft.net/utils/win_prefetch_view.html
●​ Search Everything: https://www.voidtools.com/downloads/
●​ Last Activity View: https://www.nirsoft.net/utils/lastactivityview.zip
●​ USB Deview: https://www.nirsoft.net/utils/usbdeview.zip
●​ Recaf https://github.com/Col-E/Recaf
●​ Journal trace: https://github.com/spokwn/JournalTrace/releases/tag/1.2
●​ Downloads:
https://www.nirsoft.net/utils/web_browser_downloads_view.html
●​ Folder modified https://www.nirsoft.net/utils/shellbagsview.zip
●​ Echo usb https://dl.echo.ac/tool/usb
●​ Echo Journal https://dl.echo.ac/tool/journal
●​ Osforensics https://www.osforensics.com/download.html
​ System Informer
​ System Informer
​ System Informer, A free, powerful, multi-purpose tool that helps you monitor
system resources, debug software and detect malware.
​ NirSoft
​ View the content of Windows Prefetch (.pf) files
​ View the content of Windows Prefetch (.pf) files
​
​ cd c:\users%username%\desktop && fsutil usn readjournal c: csv | findstr /i
/c:.exe | findstr /i /c:0x80000200 >> DeletedF.txt && notepad DeletedF.txt cd
c:\users%username%\desktop && fsutil usn readjournal c: csv | findstr /i /c:.exe |
 findstr /i /c:0x00000100 >> CreatedF.txt && notepad CreatedF.txt cd
c:\users%username%\desktop && fsutil usn readjournal c: csv | findstr /i /C:".pf" |
findstr /i /C:"0x80000200" >> DeletedPF.txt && notepad DeletedPF.txt - prefetch
cd c:\users%username%\desktop && fsutil usn readjournal c: csv | findstr /i
/C:".pf" | findstr /i /C:"%date%" | findstr /i /C:"net" /i /C:"net1" >> ProcessR.txt &&
notepad ProcessR.txt process restart cd c:\users%username%\desktop && echo
============= old file name ======== >> FIlesRNO.txt && fsutil usn
readjournal c: csv | findstr /i /c:.exe | findstr /i /c:0x00001000 >> FIlesRNO.txt &&
echo ============= new name files ========= >> FIlesRNO.txt && fsutil usn
readjournal c: csv | findstr /i /c:.exe | findstr /i /c:0x00002000 >> FIlesRNO.txt
rename files
​ [
​ 10:37 PM
​ ]
​ Get-ChildItem -Recurse $env:temp*.dll -ea SilentlyContinue| ForEach-object
{Get-AuthenticodeSignature $ -ea SilentlyContinue} | Where-Object {$.status -ine
"Valid"}|Select Status,Path - Checks for unsigned dlls Get-ChildItem -Recurse
$env:temp*.exe -ea SilentlyContinue| ForEach-object
{Get-AuthenticodeSignature $ -ea SilentlyContinue} | Where-Object {$.status -ine
"Valid"}|Select Status,Path - Checks for unsigned exes
●​ Services only*
​ get-service | findstr -i "pcasvc"; get-service | findstr -i "DPS"; get-service | findstr
-i "Diagtrack"; get-service | findstr -i "sysmain"; get-service | findstr -i "eventlog";
get-service | findstr -i "sgrmbroker": get-service | findstr -i "cdpusersvc"