We just detected an intrusion in one of our labs!!

Some strange network traffic was seen from one of the Windows servers and it was immediately isolated. Around the same time, there were some alerts for suspicious traffic originating from a Windows workstation in the same lab and we think the workstation might be associated with the intrusion.

We have included a packet capture of the network traffic for those two endpoints during this time frame. Also, we have been able to collect some details about those hosts.

Please take a look at the data and send us a writeup with your analysis. Affected hosts:

$1.172\mathrm{.}16\mathrm{.}99\mathrm{.}10($dc$02$p$1$floor.dolus$-$corp.net$)$: This is a Windows $2016$ server configured as a Domain Controller for this location. This server also acts as a DNS server for this subnet.

$2.172\mathrm{.}16\mathrm{.}99\mathrm{.}201($lab$03-$icps.dolus$-$corp.net$)$: This is a Windows $10$ workstation and our system administrator Fred, was using this workstation when we detected the intrusion. He did not report any suspicious behavior on his system, but he did mention that he was accessing his personal email accounts and might have clicked on a few links.

Please be cautious while handling the file as we think it might contain live malware. Password for the file incident.zip is $-$ incident.

sha$1($incident$.$zip$)$: $489491$c$99$fc$506$e$2$bb$982070$fb$96958$af$85$e$02$bc