Interestingly, my logs (I keep a lot of logs, basically forever) from that night, Feb 11th, are all safe. The ransomware did not have the time to delete/encrypt them (and if it did, those from the start time of the infection had already been backed up and were safe by then. Basically my backup scripts where operating DURING the infection.

I know the theoretical time of the infection from two sources: the name of the encrypted file, and the time when they were first created, which is consistent: 01:50am circa.

So, I have logs.

I think I'll find reference to C:\Program Files (x86)\1c\boot.exe, and to the "pr" registry entry that would run the boot.exe at boot, in the Windows System and Security Events. And I'll get to those (I am taking my time).

But, what else do you think I should be looking for? I can't think of a log I do not have (even though there may be, but I try to log all that I can, and I keep that stuff forever).

Part of me hopes that if/when I find out how this happened, I'll feel so totally stupid for overlooking at something. I am not sure I'd be happier in the very likely event I find out instead that all was caused by some zero-day vulnerability.

Also, I hear you when you say to nuke from orbit and re-start, guys. But, I am too curious now and I really want to know.