.\AmcacheParser.exe -f Amcache.hve --csv out.csv

Hunt

• First execution time
• Suspicious path execution
• Unsigned binaries

Red Flags

• Executed from Temp/AppData
• Recently dropped executable

Correlate

• Prefetch
• MFT
• ShimCache