What is the account used in the connection at 2024-03-19 10:24:40 UTC ?

What process is associated with the firewall rule ROOT\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\805E2883-28D5-4427-9F74-B215FE5792D7 present in the SYSTEM hive ?

From your understanding of the attack, what is the probable initial access method?

At what timestamp was created the file “C:\Program Files\LibreOffice\help\media\icon-themes\cmd\32\mailmergesavedocuments.svg“ on the workstation ?

What is the name of the .bat attacker's file ?

What is the name of the malicious service created by the attacker to run code on WK1?  How many times this service was installed ?

A lot of Defender registry key are changed at a random time, which might indicates that the attacker tried to tamper with the antivirus. What’s the timestamp related to this action ?

What is the hostname and the IP

address of Thomas’s workstation?

What is the PPID of process smss.exe ?

When did the attacker connect on the machine with another account with elevated privileges ?