We're provided with a .pcap and a bunch of artifacts (files).
The AD, we're told, is as follows:
First, let's inspect the artifacts.
$ find . -type f -exec ls -l -- {} +
242176 Mar 29 23:22 ./ProgramData/huqvg/huqvg.exe
49152 Mar 29 23:18 ./Users/Public/4123.do1
65545 Mar 29 23:22 ./Users/Public/4123.xlsb
65545 Mar 29 23:21 ./Users/Public/4123.xsg
299520 Mar 29 23:58 ./Users/wilmer.coughlin/AppData/Local/Temp/C618.tmp.dll
181413 Mar 29 23:17 ./Users/wilmer.coughlin/Downloads/subscription_1617056233.xlsb
4326 Mar 31 18:19 './Windows/System32/Tasks/Sun SvcRestartTask#32640'
251904 Mar 30 00:07 ./Windows/Temp/adf/anchorAsjuster_x64.exe
347648 Mar 30 00:08 ./Windows/Temp/adf/anchorDNS_x64.exe
347648 Mar 30 03:31 ./Windows/Temp/adf/anchor_x64.exe
$ find . -type f -exec file -- {} +
./Users/wilmer.coughlin/Downloads/subscription_1617056233.xlsb: Microsoft Excel 2007+
./Users/wilmer.coughlin/AppData/Local/Temp/C618.tmp.dll: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
./Users/Public/4123.xsg: ASCII text, with very long lines, with CRLF line terminators
./Users/Public/4123.xlsb: ASCII text, with very long lines, with CRLF line terminators
./Users/Public/4123.do1: PE32 executable (DLL) (GUI) Intel 80386, for MS Wins
./Windows/System32/Tasks/Sun SvcRestartTask#32640: XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
./Windows/Temp/adf/anchorDNS_x64.exe: PE32+ executable (GUI) x86-64, for MS Windows
./Windows/Temp/adf/anchorAsjuster_x64.exe: PE32+ executable (console) x86-64, for MS Windows
./Windows/Temp/adf/anchor_x64.exe: PE32+ executable (GUI) x86-64, for MS Windows
./ProgramData/huqvg/huqvg.exe: PE32+ executable (GUI) x86-64, for MS Windows
$ find . -type f -exec sha256sum -- {} +
ae6dbc08e0e21b217352175f916cfd5269c4fd8d5de6bff2d0a93a366f78e8d1 ./Users/wilmer.coughlin/Downloads/subscription_1617056233.xlsb
cc74f7e82eb33a14ffdea343a8975d8a81be151ffcb753cb3f3be10242c8a252 ./Users/wilmer.coughlin/AppData/Local/Temp/C618.tmp.dll
92bb3324b68e8780d718ed808cb9633dc1ef1f7988d2b85cc0f9f431ed63a63d ./Users/Public/4123.xsg
92bb3324b68e8780d718ed808cb9633dc1ef1f7988d2b85cc0f9f431ed63a63d ./Users/Public/4123.xlsb
93cc5e6a6b671d9b0124ade32ae8b09269de9f03c5c5e66347fbfc7a8c3b305e ./Users/Public/4123.do1
6b7de7ab79ef0f15d7c03536ad6403e317ae5712898957e0ae2ba6f41bf89828 ./Windows/System32/Tasks/Sun SvcRestartTask#32640
9fdbd76141ec43b6867f091a2dca503edb2a85e4b98a4500611f5fe484109513 ./Windows/Temp/adf/anchorDNS_x64.exe
3ab8a1ee10bd1b720e1c8a8795e78cdc09fec73a6bb91526c0ccd2dc2cfbc28d ./Windows/Temp/adf/anchorAsjuster_x64.exe
a8a8c66b155fcf9bfdf34ba0aca98991440c3d34b8a597c3fdebc8da251c9634 ./Windows/Temp/adf/anchor_x64.exe
291c573996c647508544e8e21bd2764e6e4c834d53d6d2c8903a0001c783764b ./ProgramData/huqvg/huqvg.exe
It looks like we have some executables, some Excel-related files, a .dll, and a scheduled task in XML format.
Based on the file dates, let's start to make a timeline, and analyse each in turn.
Mar 29 23:17 ./Users/wilmer.coughlin/Downloads/subscription_1617056233.xlsb Mar 29 23:18 ./Users/Public/4123.do1 Mar 29 23:21 ./Users/Public/4123.xsg Mar 29 23:22 ./Users/Public/4123.xlsb Mar 29 23:22 ./ProgramData/huqvg/huqvg.exe Mar 29 23:58 ./Users/wilmer.coughlin/AppData/Local/Temp/C618.tmp.dll Mar 30 00:07 ./Windows/Temp/adf/anchorAsjuster_x64.exe Mar 30 00:08 ./Windows/Temp/adf/anchorDNS_x64.exe Mar 30 03:31 ./Windows/Temp/adf/anchor_x64.exe Mar 31 18:19 './Windows/System32/Tasks/Sun SvcRestartTask#32640'