How to find the program that was executed to compromise the user?

edit

As correctly pointed out a pcap does not contain process information. Although if the network capture is made on a Windows system using the netsh command you would get an ETL trace file (not a pcap) that does contain this information and using the right tools you would get a pcap.

If you only have a pcap to go on, the first step is to look at which protocols where captured. This can be found in the statistics > protocol hierarchy.

Small question, please point out if it is an academic exercise or not. It is not that we don't want to help you. I just don't want to make your homework and if you are really having a security incident let us know and we will try to help you further but you will need things like sysmon logs on the system and a bit of command line kung fu to start with.

In general, traffic captures don't have any direct information on the processes used to send traffic, although on some platforms some information can be obtained.

Examining the traffic can lead one to infer such things, e.g. seeing the filename in an FTP download for instance.