Functionality in ScreenSharing

LastActivityView serves as an excellent first-look tool during screenshares to quickly get a chronological overview of recent user actions:

  • Detecting File Execution: Shows recently run executables based on Prefetch data and potentially UserAssist or other registry traces.

  • Identifying Opened/Saved Files: Particularly useful for spotting recently accessed documents, images, archives, or potential cheat configuration files (.cfg, .ini, .json) based on the Open/Save MRU registry data it parses.

  • Tracking DLL Usage/Interaction: Can be effective at highlighting interactions with .dll files, especially those loaded via standard mechanisms or those that might have spoofed extensions (e.g., a cheat .dll renamed to look like a .cfg or .dat file). Often, the act of an injector selecting a DLL via an "Open File" dialog, or a program loading a configuration file, will register in the OpenSavePidlMRU keys, which LastActivityView surfaces.

  • Timeline Correlation: By presenting data from multiple sources sorted by time, it aids in establishing basic timelines and correlating different actions (e.g., downloading an archive, then an executable running from a temporary extraction folder shortly after).

PreviousData SourcesNextLimitations and Considerations

Last updated