How many different binaries did the attacker dropped on the folder ?

What’s the name of the Remote Access Tool used by the attacker to setup a persitence on Thomas machine ?

According to the browser data of ESILV-TP\thomas, what is the value of the cookie “__Secure-Install” related to leboncoin.fr ?

Bonus (flag this question to answer it at the end of the quiz) :

What is the privilege escalation tool that the attacker might have used to become domain administrator ?

What is the suspicious port that should not be listening ?

The attacker used a malicious service in his attack. By correlating the name of this service on open-source data, what’s the probable attacker tool has been used?

According to the prefetch, how many times were the Remote Access Tool executed ?

RAM is faster and cheaper than Disk for the same storage capacity ?

A legitimate System process (by its name) running in a User folder seems suspicious ?