The document presents a technique for detecting and classifying self-deleting malware using Windows Prefetch files. It trains a KNN classifier to detect malware execution based on prefetch file features. It then applies a Jaccard similarity classifier to attribute the malware to a family. The approach extracts features from over 4,000 malware and benign prefetch files, applies normalization to select relevant features, trains the KNN detector, and uses minimum family features and Jaccard similarity to classify into 48 malware families. The technique can detect malware execution and attribute it to a family using only prefetch file evidence, without accessing the original malware sample.