Malware Analysis Report

2025-06-16 06:30

Sample ID 250515-j4zlpstxb1
Target a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.zip
SHA256 54b28d10fb97433918fab2f72777263a00e5ce22d681b547c29def25dfdf0a5e
Tags
interlock ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

54b28d10fb97433918fab2f72777263a00e5ce22d681b547c29def25dfdf0a5e

Threat Level: Known bad

The file a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.zip was found to be: Known bad.

Malicious Activity Summary

interlock ransomware

Interlock

Interlock family

Renames multiple (7435) files with added filename extension

Renames multiple (7429) files with added filename extension

Drops file in Program Files directory

Unsigned PE

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2025-05-15 08:14

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-15 08:14

Reported

2025-05-15 08:15

Platform

win10v2004-20250502-en

Max time kernel

67s

Max time network

72s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe"

Signatures

Interlock

ransomware interlock

Interlock family

interlock

Renames multiple (7429) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTest-ul-oob.xrm-ms.interlock C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.scale-180.png.interlock C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\WORDICON.EXE.interlock C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\skins\skin.dtd.interlock C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\da-dk\ui-strings.js.interlock C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\icons.png.interlock C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\tr-tr\ui-strings.js.interlock C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\ResiliencyLinks\msedge.dll.sig.DATA.interlock C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\cs.txt.interlock C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.dcfmui.msi.16.en-us.xml.interlock C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\notice.txt.interlock C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\tr-tr\ui-strings.js.interlock C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\el_get.svg.interlock C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\de-de\PlayStore_icon.svg.interlock C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\MyriadPro-Regular.otf.interlock C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\identity_proxy\win10\identity_helper.Sparse.Dev.msix.interlock C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\kaa.txt.interlock C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.scale-80.png.interlock C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\lg\LC_MESSAGES\vlc.mo.interlock C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\es-es\!__README__!.txt C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\pt-br\ui-strings.js.interlock C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\iw_get.svg.interlock C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\jsse.jar.interlock C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\ext\!__README__!.txt C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest4-ppd.xrm-ms.interlock C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PSRCHKEY.DAT.interlock C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\STSCOPY.DLL.interlock C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\da-dk\ui-strings.js.interlock C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\bg_get.svg.interlock C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\ResiliencyLinks\delegatedWebFeatures.sccd.DATA.interlock C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File created C:\Program Files\Common Files\Services\!__README__!.txt C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_MAK-ul-oob.xrm-ms.interlock C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\MS.DATABASECOMPARE.16.1033.hxn.interlock C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\!__README__!.txt C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\FillnSign_visual.svg.interlock C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File created C:\Program Files\Google\Chrome\!__README__!.txt C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\rsod\osmmui.msi.16.en-us.boot.tree.dat.interlock C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\tr-tr\!__README__!.txt C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\da-dk\!__README__!.txt C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\ResiliencyLinks\Locales\ro.pak.DATA.interlock C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Modeler.UI.rll.interlock C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\OFFSYMB.TTF.interlock C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ar\!__README__!.txt C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\!__README__!.txt C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\css\main-selector.css.interlock C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\nl-nl\ui-strings.js.interlock C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\ResiliencyLinks\MEIPreload\!__README__!.txt C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\!__README__!.txt C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Grace-ppd.xrm-ms.interlock C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\adobepdf.xdc.interlock C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File opened for modification C:\Program Files\Internet Explorer\it-IT\iexplore.exe.mui.interlock C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTest-ppd.xrm-ms.interlock C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\plugin.js.interlock C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\license.txt.interlock C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\TipTsf.dll.mui.interlock C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\ResiliencyLinks\Extensions\external_extensions.json.DATA.interlock C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\ru.pak.interlock C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\server\!__README__!.txt C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-ppd.xrm-ms.interlock C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ONFILTER.DLL.interlock C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\view.html.interlock C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\hr-hr\ui-strings.js.interlock C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\variant.js.interlock C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_MAK_AE-ul-oob.xrm-ms.interlock C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe

"C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
FR 142.251.37.35:80 c.pki.goog tcp

Files

memory/324-0-0x00007FF708580000-0x00007FF708767000-memory.dmp

memory/324-1-0x00007FF708580000-0x00007FF708767000-memory.dmp

memory/324-2-0x00007FF708580000-0x00007FF708691000-memory.dmp

C:\Program Files\7-Zip\!__README__!.txt

MD5 7037527ffd3ebe496f9df5278f1004f8
SHA1 fd37a41c913acde1fc3e3d75a1f776f5a113dff1
SHA256 08b14c7d4be16cae6d08885e174cbc8485d81cfccdaca332418859267f528420
SHA512 1f9a43c24e1d07b420b0f85c587c52dfac5af705cc7f082681d958035b95e6bc6e3f6edc0faac80ab40c96f7337223aefcc0499951b88133bbf5754fe106d4fb

memory/324-4471-0x00007FF708580000-0x00007FF708767000-memory.dmp

memory/324-5931-0x00007FF708580000-0x00007FF708691000-memory.dmp

memory/324-11021-0x00007FF708580000-0x00007FF708767000-memory.dmp

memory/324-11023-0x00007FF708580000-0x00007FF708691000-memory.dmp

memory/324-11022-0x00007FF708580000-0x00007FF708767000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-05-15 08:14

Reported

2025-05-15 08:16

Platform

win11-20250502-en

Max time kernel

40s

Max time network

30s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe"

Signatures

Interlock

ransomware interlock

Interlock family

interlock

Renames multiple (7435) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ru-ru\!__README__!.txt C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File created C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\!__README__!.txt C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\identity_proxy\win10\identity_helper.Sparse.Stable.msix.interlock C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\EdgeWebView.dat.interlock C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_KMS_ClientC2R-ul-oob.xrm-ms.interlock C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ar-ae\!__README__!.txt C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files-select\js\!__README__!.txt C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ko-kr\ui-strings.js.interlock C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\Locales\nb.pak.interlock C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTrial-pl.xrm-ms.interlock C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\3082\!__README__!.txt C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\HeartbeatConfig.xml.interlock C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\ru-ru\!__README__!.txt C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\ResiliencyLinks\Locales\ja.pak.DATA.interlock C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\edge_game_assist\EdgeGameAssist.msix.interlock C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_MAK_AE-ul-phn.xrm-ms.interlock C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\Sybase.xsl.interlock C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.scale-180.png.interlock C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\id\!__README__!.txt C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\en-us\oregres.dll.mui.interlock C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\selector.js.interlock C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\sl-si\ui-strings.js.interlock C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\dd_arrow_small.png.interlock C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Grace-ul-oob.xrm-ms.interlock C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\!__README__!.txt C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\Training.potx.interlock C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\zu\LC_MESSAGES\vlc.mo.interlock C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_newfolder_18.svg.interlock C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\cs-cz\!__README__!.txt C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\VisualElements\SmallLogoDev.png.interlock C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\jdk\relaxngcc.md.interlock C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_KMS_Client-ppd.xrm-ms.interlock C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File created C:\Program Files\Windows NT\!__README__!.txt C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ru-ru\!__README__!.txt C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\!__README__!.txt C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\s_checkbox_unselected_18.svg.interlock C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\ResiliencyLinks\AdSelectionAttestationsPreloaded\!__README__!.txt C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\ext\!__README__!.txt C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-80.png.interlock C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\SELFCERT.EXE.interlock C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File created C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\!__README__!.txt C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Resources\1033\msolui.rll.interlock C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\close_x.png.interlock C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\nl-nl\!__README__!.txt C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\km.pak.interlock C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\IEAWSDC.DLL.interlock C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\WEBSANDBOX.DLL.interlock C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\logging.properties.interlock C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\pl-pl\ui-strings.js.interlock C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileAcrobatCard_Light.pdf.interlock C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\pt-br\ui-strings.js.interlock C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\javafx\mesa3d.md.interlock C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\deploy\messages.properties.interlock C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial1-ppd.xrm-ms.interlock C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_Subscription-pl.xrm-ms.interlock C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\SQLENGINEMESSAGES.XML.interlock C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Edit.png.interlock C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\WXPNSE.DLL.interlock C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\nl-nl\!__README__!.txt C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\SearchEmail2x.png.interlock C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\fr-fr\ui-strings.js.interlock C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\da-dk\ui-strings.js.interlock C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\!__README__!.txt C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe

"C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe"

Network

Country Destination Domain Proto
US 52.111.229.43:443 tcp

Files

memory/5916-0-0x00007FF6A1DC0000-0x00007FF6A1FA7000-memory.dmp

memory/5916-1-0x00007FF6A1DC0000-0x00007FF6A1FA7000-memory.dmp

memory/5916-2-0x00007FF6A1DC0000-0x00007FF6A1ED1000-memory.dmp

C:\Program Files\7-Zip\!__README__!.txt

MD5 7037527ffd3ebe496f9df5278f1004f8
SHA1 fd37a41c913acde1fc3e3d75a1f776f5a113dff1
SHA256 08b14c7d4be16cae6d08885e174cbc8485d81cfccdaca332418859267f528420
SHA512 1f9a43c24e1d07b420b0f85c587c52dfac5af705cc7f082681d958035b95e6bc6e3f6edc0faac80ab40c96f7337223aefcc0499951b88133bbf5754fe106d4fb

memory/5916-4882-0x00007FF6A1DC0000-0x00007FF6A1FA7000-memory.dmp

memory/5916-7450-0x00007FF6A1DC0000-0x00007FF6A1ED1000-memory.dmp

memory/5916-10980-0x00007FF6A1DC0000-0x00007FF6A1ED1000-memory.dmp

memory/5916-10979-0x00007FF6A1DC0000-0x00007FF6A1FA7000-memory.dmp