| Unit42 | Very Easy | Unit42 - walkthrough | Using Sysmon logs / Windows event analysis / "backdoored UltraVNC" malware for persistence and initial access. |
| Campfire-1 | Very Easy | Campfire-1 - walkthrough | Kerberoasting attack via AD logs and Prefetch/events. |
| Recollection | Easy | Recollection -walkthrough | Memory forensics analysis in Windows 7; obfuscated PowerShell; abandoned "passwords.txt" file; clipboard/history analysis. |
| RogueOne | Easy | RogueOne -walkthrough | Memory forensics; malicious process identification; C2; netscan analysis of dumps. |
| LogJammer | Easy | LogJammer-walkthrough | Log analysis (Security, System, Defender, Firewall, PowerShell); changes to firewall rules; scheduled tasks; log cleanup. |
| Trojan | Easy | Trojan - walkthrough | Memory analysis with Volatility 3; malicious ZIP file; installation of recovery software; investigation of a compromised workstation. |
| Tracer | Easy | Tracer - walkthrough | Use of PsExec lateral movement; Prefetch analysis; “PsExeSvc” service; execution counting; endpoint forensics |
| ReliableThreat | Medium | ReliableThreat - walkthrough | Exploitation of a malicious VSCode extension → reverse shell; COM hijack for persistence. |
| Jinkies | Medium | Jinkies - walkthrough | Investigation using “LiveResponse / TriageData” artifacts; analysis of folder sharing, use of process logs/registry; OSINT element. |
| Detroit Becomes Human | Hard | Detroit Becomes Human - walkthrough | Malware via social-media link → execution of malicious installer → staging in “C:\Program Files (x86)\Google\Install\” → script execution → forensic analysis of event logs and PowerShell. |
| Streamer | Hard | -— | --— |
