This report details an intrusion that began with the execution of a Cobalt Strike beacon masquerading as a Windows Media Configuration Utility. The threat actor used various tools for persistence, lateral movement, and data exfiltration, including SystemBC and GhostSOCKS proxies, Rclone, and PsExec. They conducted extensive reconnaissance and credential harvesting across multiple systems. After 11 days, they deployed LockBit ransomware using a combination of WMI and PsExec. The attack involved disabling Windows Defender, leveraging scheduled tasks, and exploiting legitimate processes. The threat actor exfiltrated data to MEGA.io and an FTP server before encrypting the environment.