Saturday, October 29, 2016


I was working on an incident recently, and while extracting files from the image, I noticed that there was an AmCache.hve file.  Not knowing what I would find in the file, I extracted it to include in my analysis.  As I began my analysis, I found that the system I was examining was a Windows Server 2012 R2 Standard system.  This was just one system involved in the case, and I already had a couple of indicators.

As part of my analysis, I parsed the AppCompatCache value and found one of my indicators:

SYSVOL\downloads\malware.exe  Wed Oct 19 15:35:23 2016 Z

I was able to find a copy of the malware file in the file system, so I computed the MD5 hash, and pulled the PE compile time and interesting strings out of the file.  The compile time was  9 Jul 2016, 11:19:37 UTC.

I then parsed the AmCache.hve file and searched for the indicator, and found:

File Reference  : 28000017b6a
LastWrite          : Wed Oct 19 06:07:02 2016 Z
Path                   : C:\downloads\malware.exe
SHA-1               : 0000
Last Mod Time2: Wed Aug  3 13:36:53 2016 Z

File Reference   : 3300001e39f
LastWrite           : Wed Oct 19 15:36:07 2016 Z
Path                    : C:\downloads\malware.exe
SHA-1                : 0000
Last Mod Time2: Wed Oct 19 15:35:23 2016 Z

File Reference  : 2d000017b6a
LastWrite          : Wed Oct 19 06:14:30 2016 Z
Path                   : C:\Users\\Desktop\malware.exe
SHA-1               : 0000
Last Mod Time  : Wed Aug  3 13:36:54 2016 Z
Last Mod Time2: Wed Aug  3 13:36:53 2016 Z
Create Time       : Wed Oct 19 06:14:20 2016 Z
Compile Time    : Sat Jul  9 11:19:37 2016 Z

All of the SHA-1 hashes were identical across the three entries.  Do not ask for the hashes...I'm not going to provide them, as this is not the purpose of this post.

What this illustrates is the value of what what can be derived from the AmCache.hve file.  Had I not been able to retrieve a copy of the malware file from the file system, I would still have a great deal of information about the file, including (but not limited to) the fact that the same file was on the file system in three different locations.  In addition, I would also have the compile time of the executable file.


Anonymous said...

Looks like two locations, not three, unless I am missing something?

H. Carvey said...


I didn't say "three locations"...I said three entries. If you look at the AmCache.hve information, there are three different file reference numbers, and two paths. Of the two paths that point to the Downloads folder, the entries have different times associated with them, and different file references.

Teck0 said...

It''s a great article. Thanks Harlan. Do you have analyzed the shimcache ?

H. Carvey said...


"s part of my analysis, I parsed the AppCompatCache value and found one of my indicators..."

Anonymous said...

hi Harlan,

What tool did you use to parse the amcache.hve file?

H. Carvey said...

It's a RegRipper plugin...

Anonymous said...

hey harlan,

how were you able to extract the amcache.hve file from registry? i understand you can't parse the amcache file on a live machine. what software or technique was used?

H. Carvey said...

The AmCache.hve file is NOT part of the Registry, it's a separate file. I extracted it from the image using FTK Imager.

Again, I'm using the RegRipper plugin to parse it.