A domain Administrator credential logged into an internet-exposed RDP host (no brute force), and 2h49m later Trigona was encrypting the whole network over SMB. Every step rode valid admin creds and built-in tooling, so each signal alone reads as legitimate administration. The incident is only defensible by chaining the steps on one identity within a 3h window. This is the cleanest possible proof that fidelity lives in correlation, not in any single query.