Introduction A customer contacted us due to a high-severity ransomware alert in Windows Defender for Endpoint (Figure 1). Figure 1: Suspicious network traffic detected including Ransomware Clicking on one of the alerts does not reveal additional details besides the IP address (Figure 2). Figure 2: Process Tree After further clicks, we end up at the explanation in Figure 3, which doesn’t inspire confidence. What exactly is happening here, and which process on the host is responsible for thes...
