Fix path and update

reuteras · Nov 12, 2023 · 029a361 · 029a361
1 parent 6a54703
commit 029a361
Showing 1 changed file with 64 additions and 19 deletions.
diff --git a/setup/start_sandbox.ps1 b/setup/start_sandbox.ps1
@@ -1,7 +1,7 @@
 # DFIRWS
 
 # Import common functions
-. C:\Users\WDAGUtilityAccount\Documents\tools\common.ps1
+. C:\Users\WDAGUtilityAccount\Documents\tools\wscommon.ps1
 
 $WIN10=(Get-ComputerInfo | Select-Object -expand OsName) -match 10
 #$WIN11=(Get-ComputerInfo | Select-Object -expand OsName) -match 11
@@ -146,26 +146,31 @@ Stop-Process -ProcessName Explorer -Force
 
 # Add to PATH
 Write-DateLog "Add to PATH"
+Add-ToUserPath "$env:ProgramFiles\4n4lDetector"
 Add-ToUserPath "$env:ProgramFiles\7-Zip"
 Add-ToUserPath "$env:ProgramFiles\bin"
 Add-ToUserPath "$env:ProgramFiles\Git\bin"
-Add-ToUserPath "$env:ProgramFiles\Git\usr\bin\"
+Add-ToUserPath "$env:ProgramFiles\Git\usr\bin"
 Add-ToUserPath "$env:ProgramFiles\hxd"
-Add-ToUserPath "$env:ProgramFiles\Notepad++\"
-Add-ToUserPath "C:\git\Events-Ripper\"
+Add-ToUserPath "$env:ProgramFiles\idr\bin"
+Add-ToUserPath "$env:ProgramFiles\Notepad++"
+Add-ToUserPath "C:\git\Events-Ripper"
 Add-ToUserPath "C:\git\RegRipper3.0"
 Add-ToUserPath "C:\Tools\bin"
 Add-ToUserPath "C:\Tools\bulk_extractor\win64"
 Add-ToUserPath "C:\Tools\capa"
 Add-ToUserPath "C:\Tools\chainsaw"
 Add-ToUserPath "C:\Tools\cutter"
+Add-ToUserPath "C:\Tools\DB Browser for SQLite"
 Add-ToUserPath "C:\Tools\DidierStevens"
 Add-ToUserPath "C:\Tools\die"
 Add-ToUserPath "C:\Tools\elfparser-ng\Release"
 Add-ToUserPath "C:\Tools\exiftool"
 Add-ToUserPath "C:\Tools\fakenet"
+Add-ToUserPath "C:\Tools\fasm"
 Add-ToUserPath "C:\Tools\floss"
 Add-ToUserPath "C:\Tools\FullEventLogView"
+Add-ToUserPath "C:\Tools\gftrace64"
 Add-ToUserPath "C:\Tools\GoReSym"
 Add-ToUserPath "C:\Tools\hayabusa"
 Add-ToUserPath "C:\Tools\imhex"
@@ -177,9 +182,12 @@ Add-ToUserPath "C:\Tools\nmap"
 Add-ToUserPath "C:\Tools\node"
 Add-ToUserPath "C:\Tools\systeminformer\x64"
 Add-ToUserPath "C:\Tools\systeminformer\x86"
+Add-ToUserPath "C:\Tools\pev"
 Add-ToUserPath "C:\Tools\pstwalker"
 Add-ToUserPath "C:\Tools\qpdf\bin"
 Add-ToUserPath "C:\Tools\radare2"
+Add-ToUserPath "C:\Tools\redress"
+Add-ToUserPath "C:\Tools\resource_hacker"
 Add-ToUserPath "C:\Tools\ripgrep"
 Add-ToUserPath "C:\Tools\scdbg"
 Add-ToUserPath "C:\Tools\sqlite"
@@ -188,6 +196,8 @@ Add-ToUserPath "C:\Tools\sysinternals"
 Add-ToUserPath "C:\Tools\thumbcacheviewer"
 Add-ToUserPath "C:\Tools\trid"
 Add-ToUserPath "C:\Tools\upx"
+Add-ToUserPath "C:\Tools\WinApiSearch"
+Add-ToUserPath "C:\Tools\WinObjEx64"
 Add-ToUserPath "C:\Tools\XELFViewer"
 Add-ToUserPath "C:\Tools\Zimmerman"
 Add-ToUserPath "C:\Tools\Zimmerman\EvtxECmd"
@@ -270,6 +280,9 @@ Copy-Item $HOME\Documents\tools\jupyter\*.ipynb "$HOME\Documents\jupyter\"
 New-Item -Path HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging -Force
 Set-ItemProperty -Path HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging -Name EnableScriptBlockLogging -Value 1 -Force
 
+Copy-Item -Recurse -Force C:\Tools\4n4lDetector "C:\Program Files"
+Copy-Item -Recurse -Force C:\git\IDR "C:\Program Files"
+
 # Add cmder
 if ($WSDFIR_CMDER -eq "Yes") {
     & "$env:ProgramFiles\7-Zip\7z.exe" x -aoa "$SETUP_PATH\cmder.7z" -o"$env:ProgramFiles\cmder"
@@ -347,8 +360,11 @@ mkdir "$HOME\Desktop\dfirws"
 mkdir "$HOME\Desktop\dfirws\Browser"
 Add-Shortcut -SourceLnk "$HOME\Desktop\dfirws\Browser\hindsight.lnk" -DestinationPath "C:\Tools\bin\hindsight_gui.exe"
 mkdir "$HOME\Desktop\dfirws\Database"
+Add-Shortcut -SourceLnk "$HOME\Desktop\dfirws\Database\DB Browser for SQLite.lnk" -DestinationPath "C:\Tools\DB Browser for SQLite\DB Browser for SQLite.exe"
+Add-Shortcut -SourceLnk "$HOME\Desktop\dfirws\Database\fqlite.lnk" -DestinationPath "C:\Tools\fqlite\run.bat"
 Add-Shortcut -SourceLnk "$HOME\Desktop\dfirws\Database\SQLECmd.lnk" -DestinationPath "%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe" -WorkingDirectory "$HOME\Desktop" -Iconlocation "C:\Tools\Zimmerman\SQLECmd\SQLECmd.exe"
 Add-Shortcut -SourceLnk "$HOME\Desktop\dfirws\Database\sqlite3.lnk" -DestinationPath "%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe" -WorkingDirectory "$HOME\Desktop" -Iconlocation "C:\Tools\sqlite\sqlite3.exe"
+Add-Shortcut -SourceLnk "$HOME\Desktop\dfirws\Database\SQLiteWalker.py.lnk" -DestinationPath "%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe" -WorkingDirectory "$HOME\Desktop"
 # C:\Tools\DidierStevens
 Add-Shortcut -SourceLnk "$HOME\Desktop\dfirws\DidierStevens.lnk" -DestinationPath "C:\Tools\DidierStevens"
 mkdir "$HOME\Desktop\dfirws\Disk"
@@ -382,21 +398,26 @@ mkdir "$HOME\Desktop\dfirws\Malware tools"
 mkdir "$HOME\Desktop\dfirws\Malware tools\Cobalt Strike"
 Add-Shortcut -SourceLnk "$HOME\Desktop\dfirws\Malware tools\Cobalt Strike\1768.lnk" -DestinationPath "%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe" -WorkingDirectory "$HOME\Desktop"
 Add-Shortcut -SourceLnk "$HOME\Desktop\dfirws\Malware tools\Cobalt Strike\BeaconHunter.lnk" -DestinationPath "C:\Program Files\bin\BeaconHunter.exe"
+Add-Shortcut -SourceLnk "$HOME\Desktop\dfirws\Malware tools\Cobalt Strike\CobaltStrikeScan.lnk" -DestinationPath "C:\Tools\bin\CobaltStrikeScan.exe"
 mkdir "$HOME\Desktop\dfirws\Network"
 Add-Shortcut -SourceLnk "$HOME\Desktop\dfirws\Network\Fakenet.lnk" -DestinationPath "%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe" -WorkingDirectory "C:\Tools\fakenet" -Iconlocation "C:\Tools\fakenet\fakenet.exe"
 mkdir "$HOME\Desktop\dfirws\Office and email"
+Add-Shortcut -SourceLnk "$HOME\Desktop\dfirws\Office and email\Mbox Viewer.lnk" -DestinationPath "C:\Tools\mboxviewer\mboxview64.exe"
 Add-Shortcut -SourceLnk "$HOME\Desktop\dfirws\Office and email\MetadataPlus.lnk" -DestinationPath "%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe" -WorkingDirectory "$HOME\Desktop" -Iconlocation "C:\Tools\bin\MetadataPlus.exe"
 Add-Shortcut -SourceLnk "$HOME\Desktop\dfirws\Office and email\mraptor.lnk" -DestinationPath "%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe" -WorkingDirectory "$HOME\Desktop"
 Add-Shortcut -SourceLnk "$HOME\Desktop\dfirws\Office and email\msgviewer.lnk" -DestinationPath "C:\Tools\lib\msgviewer.jar"
-Add-Shortcut -SourceLnk "$HOME\Desktop\dfirws\Office and email\msodde.lnk" -DestinationPath "%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe"
-Add-Shortcut -SourceLnk "$HOME\Desktop\dfirws\Office and email\oledump.py.lnk" -DestinationPath "%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe"
-Add-Shortcut -SourceLnk "$HOME\Desktop\dfirws\Office and email\oleid.lnk" -DestinationPath "%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe"
-Add-Shortcut -SourceLnk "$HOME\Desktop\dfirws\Office and email\olevba.lnk" -DestinationPath "%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe"
-Add-Shortcut -SourceLnk "$HOME\Desktop\dfirws\Office and email\rtfdump.py.lnk" -DestinationPath "%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe"
-Add-Shortcut -SourceLnk "$HOME\Desktop\dfirws\Office and email\rtfobj.lnk" -DestinationPath "%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe"
+Add-Shortcut -SourceLnk "$HOME\Desktop\dfirws\Office and email\msodde.lnk" -DestinationPath "%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe" -WorkingDirectory "$HOME\Desktop"
+Add-Shortcut -SourceLnk "$HOME\Desktop\dfirws\Office and email\oledump.py.lnk" -DestinationPath "%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe" -WorkingDirectory "$HOME\Desktop"
+Add-Shortcut -SourceLnk "$HOME\Desktop\dfirws\Office and email\oleid.lnk" -DestinationPath "%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe" -WorkingDirectory "$HOME\Desktop"
+Add-Shortcut -SourceLnk "$HOME\Desktop\dfirws\Office and email\olevba.lnk" -DestinationPath "%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe" -WorkingDirectory "$HOME\Desktop"
+Add-Shortcut -SourceLnk "$HOME\Desktop\dfirws\Office and email\msgviewer.lnk" -DestinationPath "C:\Tools\pstwalker\pstwalker.exe"
+Add-Shortcut -SourceLnk "$HOME\Desktop\dfirws\Office and email\rtfdump.py.lnk" -DestinationPath "%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe" -WorkingDirectory "$HOME\Desktop"
+Add-Shortcut -SourceLnk "$HOME\Desktop\dfirws\Office and email\rtfobj.lnk" -DestinationPath "%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe" -WorkingDirectory "$HOME\Desktop"
 Add-Shortcut -SourceLnk "$HOME\Desktop\dfirws\Office and email\Structured Storage Viewer (SSView).lnk" -DestinationPath "C:\Tools\ssview\SSView.exe"
-Add-Shortcut -SourceLnk "$HOME\Desktop\dfirws\Office and email\tree.com.lnk" -DestinationPath "%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe"
-Add-Shortcut -SourceLnk "$HOME\Desktop\dfirws\Office and email\zipdump.lnk" -DestinationPath "%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe"
+Add-Shortcut -SourceLnk "$HOME\Desktop\dfirws\Office and email\tree.com.lnk" -DestinationPath "%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe" -WorkingDirectory "$HOME\Desktop"
+Add-Shortcut -SourceLnk "$HOME\Desktop\dfirws\Office and email\zipdump.lnk" -DestinationPath "%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe" -WorkingDirectory "$HOME\Desktop"
+mkdir "$HOME\Desktop\dfirws\Online tools"
+Add-Shortcut -SourceLnk "$HOME\Desktop\dfirws\Online tools\vt.lnk" -DestinationPath "%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe" -WorkingDirectory "$HOME\Desktop"
 mkdir "$HOME\Desktop\dfirws\PDF"
 if ($WSDFIR_PDFSTREAM -eq "Yes") {
     Add-Shortcut -SourceLnk "$HOME\Desktop\dfirws\PDF\pdfstreamdumper.lnk" -DestinationPath "C:\Sandsprite\PDFStreamDumper\PDFStreamDumper.exe"
@@ -406,37 +427,52 @@ Add-Shortcut -SourceLnk "$HOME\Desktop\dfirws\PDF\pdfid.py.lnk" -DestinationPath
 Add-Shortcut -SourceLnk "$HOME\Desktop\dfirws\PDF\peepdf.lnk" -DestinationPath "%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe" -WorkingDirectory "$HOME\Desktop"
 Add-Shortcut -SourceLnk "$HOME\Desktop\dfirws\PDF\qpdf.lnk" -DestinationPath "%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe" -WorkingDirectory "$HOME\Desktop"
 mkdir "$HOME\Desktop\dfirws\PE"
+Add-Shortcut -SourceLnk "$HOME\Desktop\dfirws\PE\4n4lDetector.lnk" -DestinationPath "C:\Program Files\4n4lDetector\4N4LDetector.exe"
 Add-shortcut -SourceLnk "$HOME\Desktop\dfirws\PE\capa.lnk" -DestinationPath "%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe" -WorkingDirectory "$HOME\Desktop" -Iconlocation C:\Tools\capa\capa.exe
 Add-Shortcut -SourceLnk "$HOME\Desktop\dfirws\PE\Debloat.lnk" -DestinationPath "C:\Tools\bin\debloat.exe"
+Add-shortcut -SourceLnk "$HOME\Desktop\dfirws\PE\dll_to_exe.lnk" -DestinationPath "%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe" -WorkingDirectory "$HOME\Desktop"
+Add-shortcut -SourceLnk "$HOME\Desktop\dfirws\PE\hollows_hunter.lnk" -DestinationPath "%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe" -WorkingDirectory "$HOME\Desktop" -Iconlocation C:\Tools\bin\hollows_hunter.exe
+#Add-shortcut -SourceLnk "$HOME\Desktop\dfirws\PE\pe2shc.lnk" -DestinationPath "%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe" -WorkingDirectory "$HOME\Desktop" -Iconlocation C:\Tools\bin\pe2shc.exe
 Add-Shortcut -SourceLnk "$HOME\Desktop\dfirws\PE\PE-bear.lnk" -DestinationPath "C:\Tools\pebear\PE-bear.exe"
+Add-shortcut -SourceLnk "$HOME\Desktop\dfirws\PE\PE-sieve.lnk" -DestinationPath "%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe" -WorkingDirectory "$HOME\Desktop" -Iconlocation C:\Tools\bin\pe-sieve.exe
 Add-Shortcut -SourceLnk "$HOME\Desktop\dfirws\PE\pestudio.lnk" -DestinationPath "C:\Tools\pestudio\pestudio\pestudio.exe"
+Add-shortcut -SourceLnk "$HOME\Desktop\dfirws\PE\pescan.lnk" -DestinationPath "%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe" -WorkingDirectory "C:\Tools\pev"
+Add-Shortcut -SourceLnk "$HOME\Desktop\dfirws\PE\Resource Hacker.lnk" -DestinationPath "C:\Tools\resource_hacker\ResourceHacker.exe"
+Add-shortcut -SourceLnk "$HOME\Desktop\dfirws\PE\shellconv.py.lnk" -DestinationPath "%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe" -WorkingDirectory "$HOME\Desktop"
+Add-Shortcut -SourceLnk "$HOME\Desktop\dfirws\PE\WinObjEx64.lnk" -DestinationPath "C:\Tools\WinObjEx64\WinObjEx64.exe"
 mkdir "$HOME\Desktop\dfirws\Programming"
 Add-Shortcut -SourceLnk "$HOME\Desktop\dfirws\Programming\java.lnk" -DestinationPath "%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe" -WorkingDirectory "$HOME\Desktop"
 Add-Shortcut -SourceLnk "$HOME\Desktop\dfirws\Programming\node.lnk" -DestinationPath "C:\Tools\node\node.exe"
 Add-Shortcut -SourceLnk "$HOME\Desktop\dfirws\Programming\Python.lnk" -DestinationPath "C:\venv\default\Scripts\python.exe"
+mkdir "$HOME\Desktop\dfirws\Programming\Delphi"
+Add-Shortcut -SourceLnk "$HOME\Desktop\dfirws\Programming\Delphi\idr.lnk" -DestinationPath "C:\Program Files\idr\bin\Idr.exe"
 mkdir "$HOME\Desktop\dfirws\Programming\Go"
+Add-Shortcut -SourceLnk "$HOME\Desktop\dfirws\Programming\Go\gftrace.lnk" -DestinationPath "%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe" -WorkingDirectory "$HOME\Desktop"
 Add-Shortcut -SourceLnk "$HOME\Desktop\dfirws\Programming\Go\GoReSym.lnk" -DestinationPath "%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe" -WorkingDirectory "$HOME\Desktop"
 mkdir "$HOME\Desktop\dfirws\Java"
 if ($WSDFIR_JAVA_JAVA -eq "Yes") {
     Add-Shortcut -SourceLnk "$HOME\Desktop\dfirws\Programming\Java\jadx-gui.lnk" -DestinationPath "$env:ProgramFiles\jadx\bin\jadx-gui.bat"
 }
-Add-Shortcut -SourceLnk "$HOME\Desktop\dfirws\Programming\Java\jd-gui.lnk" -DestinationPath "C:Tools\jd-gui\jd-gui.exe"
+Add-Shortcut -SourceLnk "$HOME\Desktop\dfirws\Programming\Java\jd-gui.lnk" -DestinationPath "C:\Tools\jd-gui\jd-gui.exe"
 mkdir "$HOME\Desktop\dfirws\Registry"
 Add-Shortcut -SourceLnk "$HOME\Desktop\dfirws\Registry\Registry Explorer.lnk" -DestinationPath "C:\Tools\Zimmerman\RegistryExplorer\RegistryExplorer.exe"
 Add-Shortcut -SourceLnk "$HOME\Desktop\dfirws\Registry\RegRipper (rip).lnk" -DestinationPath "%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe" -WorkingDirectory "$HOME\Desktop"
 mkdir "$HOME\Desktop\dfirws\Reverse Engineering"
 Add-Shortcut -SourceLnk "$HOME\Desktop\dfirws\Reverse Engineering\Cutter.lnk" -DestinationPath "C:\Tools\cutter\cutter.exe"
 Add-Shortcut -SourceLnk "$HOME\Desktop\dfirws\Reverse Engineering\dnSpy32.lnk" -DestinationPath "C:\Tools\dnSpy32\dnSpy.exe"
 Add-Shortcut -SourceLnk "$HOME\Desktop\dfirws\Reverse Engineering\dnSpy64.lnk" -DestinationPath "C:\Tools\dnSpy64\dnSpy.exe"
-Add-Shortcut -SourceLnk "$HOME\Desktop\dfirws\Reverse Engineering\ghidraRun.lnk" -DestinationPath "C:\Tools\ghidra\ghidraRun.bat"
-Add-Shortcut -SourceLnk "$HOME\Desktop\dfirws\Reverse Engineering\radare2.lnk" -DestinationPath "C:\Tools\ghidra\radare2.bat"
+Add-Shortcut -SourceLnk "$HOME\Desktop\dfirws\Reverse Engineering\fasm.lnk" -DestinationPath "C:\Tools\fasm\FASM.EXE"
+Add-Shortcut -SourceLnk "$HOME\Desktop\dfirws\Reverse Engineering\Ghidra.lnk" -DestinationPath "C:\Tools\ghidra\ghidraRun.bat"
+Add-Shortcut -SourceLnk "$HOME\Desktop\dfirws\Reverse Engineering\radare2.lnk" -DestinationPath "%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe" -WorkingDirectory "$HOME\Desktop"
 if ($WSDFIR_X64DBG -eq "Yes") {
     Add-Shortcut -SourceLnk "$HOME\Desktop\dfirws\Reverse Engineering\x32dbg.lnk" -DestinationPath "$env:ProgramFiles\x64dbg\release\x32\x32dbg.exe"
     Add-Shortcut -SourceLnk "$HOME\Desktop\dfirws\Reverse Engineering\x64dbg.lnk" -DestinationPath "$env:ProgramFiles\x64dbg\release\x64\x64dbg.exe"
 }
-mkdir "$HOME\Desktop\dfirws\Signatures"
-Add-Shortcut -SourceLnk "$HOME\Desktop\dfirws\Signatures\loki.lnk" -DestinationPath "C:\Program Files\loki\loki.exe"
-Add-Shortcut -SourceLnk "$HOME\Desktop\dfirws\Signatures\yara.lnk" -DestinationPath "%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe" -WorkingDirectory "$HOME\Desktop"
+mkdir "$HOME\Desktop\dfirws\Signatures and information"
+Add-Shortcut -SourceLnk "$HOME\Desktop\dfirws\Signatures and information\loki.lnk" -DestinationPath "C:\Program Files\loki\loki.exe"
+Add-Shortcut -SourceLnk "$HOME\Desktop\dfirws\Signatures and information\PatchaPalooza.py.lnk" -DestinationPath "%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe" -WorkingDirectory "C:\git\PatchaPalooza"
+Add-Shortcut -SourceLnk "$HOME\Desktop\dfirws\Signatures and information\WinApiSearch64.lnk" -DestinationPath "C:\Tools\WinApiSearch\WinApiSearch64.exe"
+Add-Shortcut -SourceLnk "$HOME\Desktop\dfirws\Signatures and information\yara.lnk" -DestinationPath "%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe" -WorkingDirectory "$HOME\Desktop"
 # "$HOME\Desktop\dfirws\Sysinternals"
 Add-shortcut -SourceLnk "$HOME\Desktop\dfirws\Sysinternals.lnk" -DestinationPath "C:\Tools\sysinternals"
 mkdir "$HOME\Desktop\dfirws\Utilities"
@@ -466,12 +502,21 @@ if ($verb) {
 }
 
 # TODO
-# pstwalker
 # Links to
 # - C:\git tools
 # - pip tools
 # - node tools
 
+New-Item -ItemType Directory -Force -Path "$HOME\AppData\Roaming\rizin\cutter\plugins\python" | Out-Null
+Copy-Item C:\git\radare2-deep-graph\cutter\graphs_plugin_grid.py "$HOME\AppData\Roaming\rizin\cutter\plugins\python"
+#Copy-Item C:\downloads\cutter_stackstrings.py "$HOME\AppData\Roaming\rizin\cutter\plugins\python"
+Copy-Item C:\downloads\x64dbgcutter.py "$HOME\AppData\Roaming\rizin\cutter\plugins\python"
+Copy-Item C:\git\cutterref\cutterref.py "$HOME\AppData\Roaming\rizin\cutter\plugins\python"
+Copy-Item -Recurse C:\git\cutterref\archs "$HOME\AppData\Roaming\rizin\cutter\plugins\python"
+#Copy-Item -Recurse C:\git\cutter-jupyter\cutter_jupyter "$HOME\AppData\Roaming\rizin\cutter\plugins\python"
+Copy-Item -Recurse C:\git\cutter-jupyter\icons "$HOME\AppData\Roaming\rizin\cutter\plugins\python"
+Copy-Item -Recurse C:\git\capa-explorer\capa_explorer_plugin "$HOME\AppData\Roaming\rizin\cutter\plugins\python"
+
 Start-Transcript -Append "$TEMP\dfirws_log.txt"
 
 & "$env:ProgramFiles\7-Zip\7z.exe" x -pinfected "C:\downloads\signature.7z" -o"$env:ProgramFiles\loki"