drop multiple windows prefetch files · execution timeline · file access correlation · deleted executable detection · process relationship inference · runs locally
prefetch binaries
Drop multiple .pf files
uncompressed SCCA · Win10 default PF is MAM-compressed
correlation requires decompressed prefetch · typical Win10/11 copies need offline decode first · see basic prefetch analyzer notes