diff --git a/evtx/Maps/Application_10002.map b/evtx/Maps/Application_10002.map
index dbd74f51..23dafad2 100644
--- a/evtx/Maps/Application_10002.map
+++ b/evtx/Maps/Application_10002.map
@@ -5,21 +5,21 @@ Channel: "Application"
Provider: "Microsoft-Windows-RestartManager"
Maps:
-
- Property: PayloadData1
- PropertyValue: "FullPath: %FullPath%"
+ Property: ExecutableInfo
+ PropertyValue: "%FullPath%"
Values:
-
Name: FullPath
Value: "/Event/UserData/RmApplicationEvent/FullPath"
-
- Property: PayloadData2
+ Property: PayloadData1
PropertyValue: "DisplayName: %DisplayName%"
Values:
-
Name: DisplayName
Value: "/Event/UserData/RmApplicationEvent/DisplayName"
-
- Property: PayloadData3
+ Property: PayloadData2
PropertyValue: "Files: %Files%"
Values:
-
diff --git a/evtx/Maps/Microsoft-Windows-Application-Experience_Program-Compatibility-Assistant_17.map b/evtx/Maps/Microsoft-Windows-Application-Experience_Program-Compatibility-Assistant_17.map
new file mode 100644
index 00000000..f2131562
--- /dev/null
+++ b/evtx/Maps/Microsoft-Windows-Application-Experience_Program-Compatibility-Assistant_17.map
@@ -0,0 +1,39 @@
+Author: Hyun Yi @hyuunnn
+Description: Path of executed program
+EventId: 17
+Channel: "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant"
+Maps:
+ -
+ Property: ExecutableInfo
+ PropertyValue: "%ExePath%"
+ Values:
+ -
+ Name: ExePath
+ Value: "/Event/UserData/ResolverFiredEvent/ExePath"
+
+# Valid properties include:
+
+#
+#
+#
+# 17
+# 0
+# 4
+# 0
+# 0
+# 0x4000000000000000
+#
+# 204
+#
+#
+# Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant
+# ComputerName
+#
+#
+#
+#
+# C:\Users\hyuunnn\Desktop\arsenalRecon\Arsenal-Image-Mounter-v3.2.128\ArsenalImageMounter.exe
+# DetectorShim_Win32Exception
+#
+#
+#
\ No newline at end of file
diff --git a/evtx/Maps/Microsoft-DriverFrameworks-UserMode_2100.map b/evtx/Maps/Microsoft-Windows-DriverFrameworks-UserMode_Operational_2100.map
similarity index 100%
rename from evtx/Maps/Microsoft-DriverFrameworks-UserMode_2100.map
rename to evtx/Maps/Microsoft-Windows-DriverFrameworks-UserMode_Operational_2100.map
diff --git a/evtx/Maps/Microsoft-Windows-Shell-Core_Operational_28115.map b/evtx/Maps/Microsoft-Windows-Shell-Core_Operational_28115.map
index cf44e206..eaf64860 100644
--- a/evtx/Maps/Microsoft-Windows-Shell-Core_Operational_28115.map
+++ b/evtx/Maps/Microsoft-Windows-Shell-Core_Operational_28115.map
@@ -5,14 +5,14 @@ Channel: "Microsoft-Windows-Shell-Core/Operational"
Provider: "Microsoft-Windows-Shell-Core"
Maps:
-
- Property: PayloadData1
- PropertyValue: "Name: %Name%"
+ Property: ExecutableInfo
+ PropertyValue: "%Name%"
Values:
-
Name: Name
Value: "/Event/EventData/Data[@Name=\"Name\"]"
-
- Property: PayloadData2
+ Property: PayloadData1
PropertyValue: "AppID: %AppID%"
Values:
-
diff --git a/evtx/Maps/Microsoft-Windows-WPD-MTPClassDriver_Operational_1005.map b/evtx/Maps/Microsoft-Windows-WPD-MTPClassDriver_Operational_1005.map
new file mode 100644
index 00000000..caba1375
--- /dev/null
+++ b/evtx/Maps/Microsoft-Windows-WPD-MTPClassDriver_Operational_1005.map
@@ -0,0 +1,53 @@
+Author: Hyun Yi @hyuunnn
+Description: (Mobile) MTP Connection
+EventId: 1005
+Channel: "Microsoft-Windows-WPD-MTPClassDriver/Operational"
+Maps:
+ -
+ Property: PayloadData1
+ PropertyValue: "Manufacturer: %Manufacturer%"
+ Values:
+ -
+ Name: Manufacturer
+ Value: "/Event/EventData/Data[@Name=\"Manufacturer\"]"
+ -
+ Property: PayloadData2
+ PropertyValue: "Model: %Model%"
+ Values:
+ -
+ Name: Model
+ Value: "/Event/EventData/Data[@Name=\"Model\"]"
+ -
+ Property: PayloadData3
+ PropertyValue: "Version: %Version%"
+ Values:
+ -
+ Name: Version
+ Value: "/Event/EventData/Data[@Name=\"Version\"]"
+
+# Valid properties include:
+
+#
+#
+#
+# 1005
+# 0
+# 4
+# 16
+# 0
+# 0x8000000000000000
+#
+# 2
+#
+#
+# Microsoft-Windows-WPD-MTPClassDriver/Operational
+# ComputerName
+#
+#
+#
+# Apple Inc.
+# Apple iPhone
+# 12.4.4
+# 40
+#
+#
\ No newline at end of file