ShimCache parser

General (Technical, Procedural, Software, Hardware etc.)

Last Post by jhup 12 years ago

2 Posts

2 Users

0 Reactions

1,108 Views

RSS

tzworks

(@tzworks)

Active Member

Joined: 14 years ago

Posts: 5

Topic starter 26/11/2013 12:54 am

All, we posted a new tool on our website for parsing the Windows 'ShimCache' artifacts and updated others to handle this artifact as well. The new tool is cross platform and free for personal use.

The new tool is called Window AppCompatibility Cache Utility (or wacu for short), and it can be downloaded here - https://tzworks.net/prototype_page.php?proto_id=29. It is a command line tool that targets the AppCompatCache subkey in the Windows registry system hive. This artifact is useful when analyzing the initial installation of malware on a system since it records which apps were run along with the respective modification date of the application.

Other tools that were updated to include parsing this artifact include yaru (https://tzworks.net/prototype_page.php?proto_id=3) and cafae (https://tzworks.net/prototype_page.php?proto_id=19).

Give them a try!

Quote

jhup

(@jhup)

Noble Member

Joined: 16 years ago

Posts: 1442

26/11/2013 1:32 am

I read your licensing and there is nothing in there for educational purposes.

What is your licensing for it?

ReplyQuote

8 Forums
15.7 K Topics
92.3 K Posts
194 Online
41.1 K Members

Forum Icons: Forum contains no unread posts Forum contains unread posts

Topic Icons: Not Replied Replied Active Hot Sticky Unapproved Solved Private Closed