SUSPICIOUS ACTIVITY (22 categories, 3055 events)
WIN10X64: 901797bf-b72c-492d-b340-bcea1d46f93b
These are suspicious events that can be directly attributed to the attack.
Volume Shadow Copy Deletion (1 event)
A process attempted to delete the Volume Shadow Copy data (snapshots of the system). This technique is often used by ransomware to prevent backups of encrypted files from being loaded.

Abnormal Behavior (1 event)
A process is behaving differently than expected. For example: Word creates an executable or Notepad accesses a URL.

System Security Policy Change (8 events)
A process changed a policy setting that affects the system security.

Script Execution (1 event)
Processes used to run scripts, like Powershell and cscript. These processes are widely used in malware attacks.

Ransom Message Creation (2929 events)
Process may be creating a file with ransom messages in every folder.

Privilege Change (25 events)
A process is running with a different privilege than the incident start process. Malware will often attempt to elevate process privileges to gain full system access.

Disable System Restore (1 event)
System Restore and/or its configuration was disabled. This is done by malware to make it harder to revert the state of the machine to before the malware was present.

Browser Tampering (8 events)
A process changed a setting related to browsers. This is often done by malware for stopping data collection, modifying sites that the browser may be going to, disabling protections etc.

Process in Temp (24 events)
Process was saved in the Temp folder which is a common location for malware to run.

Process in AppData (26 events)
Process was saved in the AppData folder which is a common location for malware to run.

Persistence (3 events)
The incident performed persistence actions to ensure execution after system boot. Persistence is performed by setting specific system registry keys or by creating files in specific system folders.

PHP Script Access (2 events)
A process has attempted to connect to one or more URLs executing a PHP script. Malware will often do this to download or upload files and information.

Mass IP Access (1 event)
A process has attempted to connect to a large number of unique IPs. Malware will often use this technique in an attempt to hide Command and Control communication.

Executable Copy (5 events)
A copy of an executable (both files have the same hash signature) with a different path was launched by the incident. This is a common technique used by malware to attempt evasion and to increase malware persistence in case elements of it are deleted or quarantined.

Dropped File Deletion (2 events)
A file, which was created as part of an incident, was later deleted by elements of the same incident. This is a common behavior of malware attempting to cover its tracks.

Disable User Access Control (1 event)
A process is attempting to disable User Access Control. By disabling User Access Control, executables that are unsigned or incorrectly signed will not prompt the user for authorization to run.

HTTP Anomaly (1 event)
HTTP communication patterns that can indicate malware activity. Examples: HTTP POST not preceded by a GET request, or numerous HTTP POST requests that can indicate command and control communications or data exfiltration.

Dropped Script (1 event)
One or more script files were created.

Dropped Executable (11 events)
One or more executable files were created.

Dangerous Execution (2 events)
System processes, such as cmd.exe, are being executed. While these processes can be loaded legitimately, their use is relatively rare and is often used by malware.

WallPaper Change (1 event)
A process has changed the wallpaper. Sometimes used to display ransom notes, but mostly harmless.

Execution Delay (1 event)
A process is being used to attempt to delay execution of other processes.