G0386.7z.005 File

Check SOFTWARE\Microsoft\Windows\CurrentVersion\Run for persistence mechanisms. Use Registry Explorer by Eric Zimmerman to parse these files.

Evidence of attackers moving through the network using tools like PsExec or Mimikatz . g0386.7z.005

Examine System.evtx and Security.evtx . Look for Event ID 4624 (Successful Login) coming from unusual IP addresses. g0386.7z.005