Windows.Forensics.Amcache

https://github.com/Velocidex/velociraptor/edit/master/artifacts/definitions/Windows/Forensics/Amcache.yaml

AMCache (Application Compatibility Cache) is a Windows registry–backed forensic artifact that records metadata about executables that have been run or installed on a system. It typically stores file path, filename, file size, compilation timestamp, and cryptographic hashes, allowing investigators to identify program execution even when the binary no longer exists on disk. AMCache is especially valuable for historical execution tracking, malware hunting, and timeline reconstruction, as it persists across reboots and is updated by the Windows Application Experience and compatibility subsystems rather than direct user action.