Szymcio.rar -

Evidence that the user "Szymcio" used unauthorized tools like mimikatz or netscan .

Fragments of NTUSER.DAT or SYSTEM hives that show evidence of a "Run" key persistence (e.g., HKCU\Software\Microsoft\Windows\CurrentVersion\Run ). szymcio.rar

Using tools like exiftool or 7z l -slt szymcio.rar reveals the archive version and whether file names are encrypted. Evidence that the user "Szymcio" used unauthorized tools

If the headers are encrypted, you cannot see the filenames without the password. If only the data is encrypted, the filenames (e.g., payload.vbs , config.json ) provide immediate clues. Phase 2: Password Recovery the filenames (e.g.