After cyberattack, a new Administrator account has popped up, what, how and for what?

Question

After what seems a human-directed ransomware attack, I am analyzing the system. It is a Windows Server 2016 and I had created the usual Administrator account. Now I see that during the attack, a new "Administrador.WIN-RSDLE3HIAER" account has appeared under C:\Users folder. The old plain Administrator still exists but it seems like all files are now under the newly created account (Donwloads, favorites, Desktop, etc... are still in the original account, but empty). It is like the profile was moved to the new Account.

My question, in the search of learning is why is this done, why creating a new account? Is this some kind of self-protection from the attackers? Why is all my original content now under the newly created account? I could still enter "Administrator" under the login page and access my profile so this is why I cannot understand the nature of the new account/folder, how I got redirected... in a word... how does this thing work?

Cheers

Answer 1

Possible explanation: there is no new account, nor was the new folder intentionally created by the attacker. The user profile of the administrator account was damaged during the attack, or by some defense or recovery measures. This has then triggered the profile repair mechanism of Windows.

When Windows encounters an unrecoverable error loading the profile of a user while logging on, it creates a new profile folder automatically, appending a random suffix to the name. It also tries moving over as much of the data as possible from the old, damaged profile. So the folder C:\Users\Administrador.WIN-RSDLE3HIAER would just be a new profile folder for the existing administrator account Administrador.

To confirm this, check the the owner and permissions of the folders C:\Users\Administrador and C:\Users\Administrador.WIN-RSDLE3HIAER, and match them to the local users in the Windows Security Account Manager (SAM) database. If you are doing this from a live Linux system, use a tool like chntpw to access the SAM database file %SystemRoot%\System32\config\SAM.