Modifies WinLogon for persistence

Modifies Windows Defender Real-time Protection settings

Deletes shadow copies

Ransomware often targets backup files to inhibit system recovery.

Modifies boot configuration data using bcdedit

Blocklisted process makes network request

Downloads MZ/PE file

Executes dropped EXE

Modifies extensions of user files

Ransomware generally changes the extension on encrypted files.