Qilin ransomware forensic reconstruction using Windows logs, PCA logs, and AmCache
Technical Analysis
Summary
Hide ▲
Show ▼
Huntress reconstructed a Qilin ransomware intrusion from Windows Event Logs, PCA logs, AmCache.hve, and Defender telemetry after a post-incident agent install, exposing attempted payload execution and ransom-note activity.
Related Happenings
MuddyWater Microsoft Teams social-engineering campaign with Chaos ransomware decoy
Campaign
First: 06.05.2026 16:02
Last: 06.05.2026 16:02
Sources 1
About this happening:
The **MuddyWater** campaign used **Microsoft Teams** social engineering and a **Chaos ransomware** decoy to gain access, steal credentials, and establish persistence. The operatio...
MuddyWater Microsoft Teams social-engineering campaign with Chaos ransomware decoy
CampaignAbout this happening: The **MuddyWater** campaign used **Microsoft Teams** social engineering and a **Chaos ransomware** decoy to gain access, steal credentials, and establish persistence. The operatio...
Crazy ransomware gang Net Monitor for Employees Professional and SimpleHelp persistence campaign
Campaign
First: 11.02.2026 21:29
Last: 11.02.2026 21:29
Sources 1
About this happening:
**Crazy ransomware gang** is running a **remote-access persistence campaign** that uses legitimate monitoring and support tools to keep footholds inside **corporate networks**, ra...
Crazy ransomware gang Net Monitor for Employees Professional and SimpleHelp persistence campaign
CampaignAbout this happening: **Crazy ransomware gang** is running a **remote-access persistence campaign** that uses legitimate monitoring and support tools to keep footholds inside **corporate networks**, ra...
Conpet hit by data theft breach linked to Qilin
Incident
First: 05.02.2026 17:15
Last: 05.02.2026 17:15
Sources 1
About this happening:
**Conpet** disclosed a **cyberattack** that disrupted its **business systems** and took its website offline, creating operational risk for Romania's national oil pipeline operator...
Conpet hit by data theft breach linked to Qilin
IncidentAbout this happening: **Conpet** disclosed a **cyberattack** that disrupted its **business systems** and took its website offline, creating operational risk for Romania's national oil pipeline operator...
Conpet claimed document leak
Data Leak
First: 05.02.2026 17:15
Last: 05.02.2026 17:15
Sources 1
About this happening:
**Conpet** is facing a claimed **data leak** after the **Qilin ransomware gang** said it stole nearly **1TB of documents** and published sample files, raising exposure risk for in...
Conpet claimed document leak
Data LeakAbout this happening: **Conpet** is facing a claimed **data leak** after the **Qilin ransomware gang** said it stole nearly **1TB of documents** and published sample files, raising exposure risk for in...
Weaxor ransomware deployment after React2Shell access
Malware Activity
First: 17.12.2025 18:09
Last: 17.12.2025 18:09
Sources 1
About this happening:
**Weaxor ransomware** was **deployed** after a **React2Shell** foothold, encrypting a compromised endpoint and increasing the risk of **operational disruption** and **recovery del...
Weaxor ransomware deployment after React2Shell access
Malware ActivityAbout this happening: **Weaxor ransomware** was **deployed** after a **React2Shell** foothold, encrypting a compromised endpoint and increasing the risk of **operational disruption** and **recovery del...
Timeline
-
22.11.2025 15:45 1 articles · 6mo ago
Qilin ransomware forensic reconstruction using Windows logs, PCA logs, and AmCache
Initial DisclosureThe first phase centered on a **single compromised endpoint** where the agent arrived only **after** the intrusion had already occurred, leaving no live telemetry to follow. Analysts initially used local Windows artifacts to determine how **Qilin** access, payload staging, and security suppression had unfolded.
Show sources
- Piecing Together the Puzzle: A Qilin Ransomware Investigation — www.bleepingcomputer.com — 22.11.2025 15:45
-
22.11.2025 15:45 1 articles · 6mo ago
Qilin payload staging and ransom-note activity on the affected endpoint
Technical Analysis UpdateOn 2025-10-11, the threat actor disabled Windows Defender at 2025-10-11 01:34:21 UTC, then used the rogue ScreenConnect instance to transfer r.ps1, s.exe, and ss.exe to the affected endpoint. The actor attempted to run ss.exe and later remotely accessed the endpoint at 2025-10-11 03:34:56 UTC, followed by multiple Windows Defender detections at 2025-10-11 03:35:13 UTC for Behavior:Win32/GenRansomNote and failed remediation attempts.
Show sources
- Piecing Together the Puzzle: A Qilin Ransomware Investigation — www.bleepingcomputer.com — 22.11.2025 15:45