I tend to not use Windows-Exploit-Suggestor because it gives a lot of false positives. The program works by pulling a list of exploits from an excel file, grabbing the patch name, and then searching for updates checking if the patch name (KBxxxxxx) is Installed. Unfortunately, Microsoft changes the bulletin ID quite frequently especially with their new “monthly roll-up” style of patches.
Sherlock works a bit differently, it pulls the Version Number off the DLL associated with the exploit. So there isn’t any false positives, the downside is that the script has to be manually updated as Microsoft doesn’t release what files change in each patch.
As for why everyone skipped over how they found the keypass file. It’s in the User’s Documents folder, a place most people just check manually. Some enumeration scripts will point out files in the directories (such as JAWS). I just don’t show every tool every video because it would be super repetitive.