Analysis Overview
SHA256
da18f877a9e00463bc59236c3f4c7b93bd964b67aa6f7628a240df84c8a07971
Threat Level: Likely malicious
The file ranzomware.zip was found to be: Likely malicious.
Malicious Activity Summary
Modifies extensions of user files
Reads user/profile data of web browsers
Program crash
Opens file in notepad (likely ransom note)
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-03-27 23:38
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-03-27 23:38
Reported
2023-03-27 23:41
Platform
win10v2004-20230220-en
Max time kernel
116s
Max time network
118s
Command Line
Signatures
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File renamed | C:\Users\Admin\Pictures\LimitCheckpoint.png.TROLLD.t => C:\Users\Admin\Pictures\LimitCheckpoint.png.TROLLD | C:\Windows\system32\cmd.exe | N/A |
| File created | C:\Users\Admin\Pictures\WaitConvert.crw.TROLLD.t | C:\Windows\system32\certutil.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ApproveSubmit.tif.TROLLD.t => C:\Users\Admin\Pictures\ApproveSubmit.tif.TROLLD | C:\Windows\system32\cmd.exe | N/A |
| File created | C:\Users\Admin\Pictures\DismountRename.tif.TROLLD.t | C:\Windows\system32\certutil.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\DismountRename.tif.TROLLD.t => C:\Users\Admin\Pictures\DismountRename.tif.TROLLD | C:\Windows\system32\cmd.exe | N/A |
| File created | C:\Users\Admin\Pictures\InitializeAssert.png.TROLLD.t | C:\Windows\system32\certutil.exe | N/A |
| File created | C:\Users\Admin\Pictures\LimitCheckpoint.png.TROLLD.t | C:\Windows\system32\certutil.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\WaitConvert.crw.TROLLD.t => C:\Users\Admin\Pictures\WaitConvert.crw.TROLLD | C:\Windows\system32\cmd.exe | N/A |
| File created | C:\Users\Admin\Pictures\ApproveSubmit.tif.TROLLD.t | C:\Windows\system32\certutil.exe | N/A |
| File created | C:\Users\Admin\Pictures\BlockCheckpoint.tiff.TROLLD.t | C:\Windows\system32\certutil.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\BlockCheckpoint.tiff.TROLLD.t => C:\Users\Admin\Pictures\BlockCheckpoint.tiff.TROLLD | C:\Windows\system32\cmd.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\InitializeAssert.png.TROLLD.t => C:\Users\Admin\Pictures\InitializeAssert.png.TROLLD | C:\Windows\system32\cmd.exe | N/A |
Reads user/profile data of web browsers
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WerFault.exe |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\NOTEPAD.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\ranzomware.zip
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 440 -p 2728 -ip 2728
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2728 -s 1776
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap6642:78:7zEvent29040
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\encrypt.bat" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir /b /a-d
C:\Windows\system32\certutil.exe
certutil -encode "NTUSER.DAT" "NTUSER.DAT.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "NTUSER.DAT.TROLLD.t" "NTUSER.DAT.TROLLD.t.t"
C:\Windows\system32\certutil.exe
certutil -encode "NTUSER.DAT.TROLLD.t" "NTUSER.DAT.TROLLD.t.t"
C:\Windows\system32\certutil.exe
certutil -encode "NTUSER.DAT.TROLLD.t" "NTUSER.DAT.TROLLD.t.t"
C:\Windows\system32\certutil.exe
certutil -encode "NTUSER.DAT.TROLLD.t" "NTUSER.DAT.TROLLD.t.t"
C:\Windows\system32\certutil.exe
certutil -encode "NTUSER.DAT.TROLLD.t" "NTUSER.DAT.TROLLD.t.t"
C:\Windows\system32\certutil.exe
certutil -encode "NTUSER.DAT.TROLLD.t" "NTUSER.DAT.TROLLD.t.t"
C:\Windows\system32\certutil.exe
certutil -encode "ntuser.dat.LOG1" "ntuser.dat.LOG1.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "ntuser.dat.LOG1.TROLLD.t" "ntuser.dat.LOG1.TROLLD.t.t"
C:\Windows\system32\certutil.exe
certutil -encode "ntuser.dat.LOG1.TROLLD.t" "ntuser.dat.LOG1.TROLLD.t.t"
C:\Windows\system32\certutil.exe
certutil -encode "ntuser.dat.LOG1.TROLLD.t" "ntuser.dat.LOG1.TROLLD.t.t"
C:\Windows\system32\certutil.exe
certutil -encode "ntuser.dat.LOG1.TROLLD.t" "ntuser.dat.LOG1.TROLLD.t.t"
C:\Windows\system32\certutil.exe
certutil -encode "ntuser.dat.LOG1.TROLLD.t" "ntuser.dat.LOG1.TROLLD.t.t"
C:\Windows\system32\certutil.exe
certutil -encode "ntuser.dat.LOG1.TROLLD.t" "ntuser.dat.LOG1.TROLLD.t.t"
C:\Windows\system32\certutil.exe
certutil -encode "ntuser.dat.LOG2" "ntuser.dat.LOG2.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "ntuser.dat.LOG2.TROLLD.t" "ntuser.dat.LOG2.TROLLD.t.t"
C:\Windows\system32\certutil.exe
certutil -encode "ntuser.dat.LOG2.TROLLD.t" "ntuser.dat.LOG2.TROLLD.t.t"
C:\Windows\system32\certutil.exe
certutil -encode "ntuser.dat.LOG2.TROLLD.t" "ntuser.dat.LOG2.TROLLD.t.t"
C:\Windows\system32\certutil.exe
certutil -encode "ntuser.dat.LOG2.TROLLD.t" "ntuser.dat.LOG2.TROLLD.t.t"
C:\Windows\system32\certutil.exe
certutil -encode "ntuser.dat.LOG2.TROLLD.t" "ntuser.dat.LOG2.TROLLD.t.t"
C:\Windows\system32\certutil.exe
certutil -encode "ntuser.dat.LOG2.TROLLD.t" "ntuser.dat.LOG2.TROLLD.t.t"
C:\Windows\system32\certutil.exe
certutil -encode "NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TM.blf" "NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TM.blf.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TM.blf.TROLLD.t" "NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TM.blf.TROLLD.t.t"
C:\Windows\system32\certutil.exe
certutil -encode "NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TM.blf.TROLLD.t" "NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TM.blf.TROLLD.t.t"
C:\Windows\system32\certutil.exe
certutil -encode "NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TM.blf.TROLLD.t" "NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TM.blf.TROLLD.t.t"
C:\Windows\system32\certutil.exe
certutil -encode "NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TM.blf.TROLLD.t" "NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TM.blf.TROLLD.t.t"
C:\Windows\system32\certutil.exe
certutil -encode "NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TM.blf.TROLLD.t" "NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TM.blf.TROLLD.t.t"
C:\Windows\system32\certutil.exe
certutil -encode "NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TM.blf.TROLLD.t" "NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TM.blf.TROLLD.t.t"
C:\Windows\system32\certutil.exe
certutil -encode "NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms" "NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms.TROLLD.t" "NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms.TROLLD.t.t"
C:\Windows\system32\certutil.exe
certutil -encode "NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms.TROLLD.t" "NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms.TROLLD.t.t"
C:\Windows\system32\certutil.exe
certutil -encode "NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms.TROLLD.t" "NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms.TROLLD.t.t"
C:\Windows\system32\certutil.exe
certutil -encode "NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms.TROLLD.t" "NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms.TROLLD.t.t"
C:\Windows\system32\certutil.exe
certutil -encode "NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms.TROLLD.t" "NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms.TROLLD.t.t"
C:\Windows\system32\certutil.exe
certutil -encode "NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms.TROLLD.t" "NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms.TROLLD.t.t"
C:\Windows\system32\certutil.exe
certutil -encode "NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000002.regtrans-ms" "NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000002.regtrans-ms.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000002.regtrans-ms.TROLLD.t" "NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000002.regtrans-ms.TROLLD.t.t"
C:\Windows\system32\certutil.exe
certutil -encode "NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000002.regtrans-ms.TROLLD.t" "NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000002.regtrans-ms.TROLLD.t.t"
C:\Windows\system32\certutil.exe
certutil -encode "NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000002.regtrans-ms.TROLLD.t" "NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000002.regtrans-ms.TROLLD.t.t"
C:\Windows\system32\certutil.exe
certutil -encode "NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000002.regtrans-ms.TROLLD.t" "NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000002.regtrans-ms.TROLLD.t.t"
C:\Windows\system32\certutil.exe
certutil -encode "NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000002.regtrans-ms.TROLLD.t" "NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000002.regtrans-ms.TROLLD.t.t"
C:\Windows\system32\certutil.exe
certutil -encode "NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000002.regtrans-ms.TROLLD.t" "NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000002.regtrans-ms.TROLLD.t.t"
C:\Windows\system32\certutil.exe
certutil -encode "ntuser.ini" "ntuser.ini.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "ntuser.ini.TROLLD.t" "ntuser.ini.TROLLD.t.t"
C:\Windows\system32\certutil.exe
certutil -encode "ntuser.ini.TROLLD.t" "ntuser.ini.TROLLD.t.t"
C:\Windows\system32\certutil.exe
certutil -encode "ntuser.ini.TROLLD.t" "ntuser.ini.TROLLD.t.t"
C:\Windows\system32\certutil.exe
certutil -encode "ntuser.ini.TROLLD.t" "ntuser.ini.TROLLD.t.t"
C:\Windows\system32\certutil.exe
certutil -encode "ntuser.ini.TROLLD.t" "ntuser.ini.TROLLD.t.t"
C:\Windows\system32\certutil.exe
certutil -encode "ntuser.ini.TROLLD.t" "ntuser.ini.TROLLD.t.t"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir /b /s /ad
C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\encrypt.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\encrypt.bat" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir /b /a-d
C:\Windows\system32\certutil.exe
certutil -encode "NTUSER.DAT" "NTUSER.DAT.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "ntuser.dat.LOG1" "ntuser.dat.LOG1.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "ntuser.dat.LOG2" "ntuser.dat.LOG2.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TM.blf" "NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TM.blf.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms" "NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000002.regtrans-ms" "NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000002.regtrans-ms.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "ntuser.ini" "ntuser.ini.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "ntuser.ini.TROLLD.t" "ntuser.ini.TROLLD.t.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "ntuser.ini.TROLLD.t.t" "ntuser.ini.TROLLD.t.t.TROLLD.t"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir /b /s /ad
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir /b /a-d
C:\Windows\system32\certutil.exe
certutil -encode "90737d32e3aba4b.timestamp" "90737d32e3aba4b.timestamp.TROLLD.t"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir /b /a-d
C:\Windows\system32\certutil.exe
certutil -encode "desktop.ini" "desktop.ini.TROLLD.t"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir /b /a-d
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir /b /a-d
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir /b /a-d
C:\Windows\system32\certutil.exe
certutil -encode "desktop.ini" "desktop.ini.TROLLD.t"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir /b /a-d
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir /b /a-d
C:\Windows\system32\certutil.exe
certutil -encode "BackupExit.temp" "BackupExit.temp.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "compile.bat" "compile.bat.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "CompleteAdd.pdf" "CompleteAdd.pdf.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "ConvertFromOptimize.dll" "ConvertFromOptimize.dll.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "CopyRestart.jpe" "CopyRestart.jpe.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "DebugMerge.mpe" "DebugMerge.mpe.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "desktop.ini" "desktop.ini.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "DismountSwitch.mp3" "DismountSwitch.mp3.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "encrypt.bat" "encrypt.bat.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "ExitSave.sys" "ExitSave.sys.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "ImportUnblock.vbs" "ImportUnblock.vbs.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "JoinUnprotect.xltx" "JoinUnprotect.xltx.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "LimitRead.wps" "LimitRead.wps.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "MergeDisable.gif" "MergeDisable.gif.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "MergeSuspend.docx" "MergeSuspend.docx.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "Microsoft Edge.lnk" "Microsoft Edge.lnk.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "OutMeasure.vssm" "OutMeasure.vssm.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "ranzomware.zip" "ranzomware.zip.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "ReadConvertTo.M2TS" "ReadConvertTo.M2TS.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "RequestBlock.jpg" "RequestBlock.jpg.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "RequestSearch.ini" "RequestSearch.ini.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "ResizeSelect.mhtml" "ResizeSelect.mhtml.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "RestartConvertFrom.txt" "RestartConvertFrom.txt.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "ROBKQPFG-20230220-1902.log" "ROBKQPFG-20230220-1902.log.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "SaveDebug.jpe" "SaveDebug.jpe.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "UnlockUse.bat" "UnlockUse.bat.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "UseCheckpoint.ttf" "UseCheckpoint.ttf.TROLLD.t"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir /b /a-d
C:\Windows\system32\certutil.exe
certutil -encode "AddSave.vstx" "AddSave.vstx.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "Are.docx" "Are.docx.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "CloseAssert.pub" "CloseAssert.pub.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "ConvertFormat.xlsx" "ConvertFormat.xlsx.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "desktop.ini" "desktop.ini.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "EditSync.ppsm" "EditSync.ppsm.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "ExportGroup.mpp" "ExportGroup.mpp.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "Files.docx" "Files.docx.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "GrantSplit.xls" "GrantSplit.xls.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "ImportRead.xlsb" "ImportRead.xlsb.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "InstallSelect.dotm" "InstallSelect.dotm.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "LimitMerge.vdx" "LimitMerge.vdx.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "Opened.docx" "Opened.docx.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "PublishGroup.vstx" "PublishGroup.vstx.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "ReadRename.vst" "ReadRename.vst.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "Recently.docx" "Recently.docx.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "RedoGrant.potx" "RedoGrant.potx.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "RenameFormat.htm" "RenameFormat.htm.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "RestartResolve.odp" "RestartResolve.odp.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "ResumeMove.vsw" "ResumeMove.vsw.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "These.docx" "These.docx.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "UnlockRestore.vsdx" "UnlockRestore.vsdx.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "UnprotectSet.vsx" "UnprotectSet.vsx.TROLLD.t"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir /b /a-d
C:\Windows\system32\certutil.exe
certutil -encode "ApproveStart.xps" "ApproveStart.xps.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "AssertReceive.ogg" "AssertReceive.ogg.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "ConvertOpen.vstm" "ConvertOpen.vstm.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "CopyDebug.ex_" "CopyDebug.ex_.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "CopySwitch.dot" "CopySwitch.dot.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "DebugTrace.dib" "DebugTrace.dib.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "DenyDisconnect.svgz" "DenyDisconnect.svgz.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "desktop.ini" "desktop.ini.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "EnableSubmit.dwg" "EnableSubmit.dwg.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "ExportInvoke.vdx" "ExportInvoke.vdx.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "ExportSplit.crw" "ExportSplit.crw.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "FindOptimize.ex_" "FindOptimize.ex_.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "JoinConvert.cab" "JoinConvert.cab.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "JoinExport.mht" "JoinExport.mht.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "JoinSave.3gp" "JoinSave.3gp.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "LockSubmit.fon" "LockSubmit.fon.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "NewClear.vsw" "NewClear.vsw.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "RegisterReset.pcx" "RegisterReset.pcx.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "RemoveConvert.mht" "RemoveConvert.mht.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "RenameCheckpoint.vst" "RenameCheckpoint.vst.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "RepairJoin.eps" "RepairJoin.eps.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "ResetPop.docx" "ResetPop.docx.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "RevokeConfirm.aifc" "RevokeConfirm.aifc.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "SendBlock.ex_" "SendBlock.ex_.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "SkipCompare.dib" "SkipCompare.dib.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "SubmitMove.reg" "SubmitMove.reg.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "TestPing.mht" "TestPing.mht.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "TestSearch.temp" "TestSearch.temp.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "UndoBlock.xlt" "UndoBlock.xlt.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "UnpublishBlock.mp2v" "UnpublishBlock.mp2v.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "UnpublishSet.midi" "UnpublishSet.midi.TROLLD.t"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir /b /a-d
C:\Windows\system32\certutil.exe
certutil -encode "Bing.url" "Bing.url.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "desktop.ini" "desktop.ini.TROLLD.t"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir /b /a-d
C:\Windows\system32\certutil.exe
certutil -encode "desktop.ini" "desktop.ini.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "Desktop.lnk" "Desktop.lnk.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "Downloads.lnk" "Downloads.lnk.TROLLD.t"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir /b /a-d
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir /b /a-d
C:\Windows\system32\certutil.exe
certutil -encode "AddEnter.mpeg" "AddEnter.mpeg.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "ApproveRequest.ADTS" "ApproveRequest.ADTS.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "AssertOpen.ttf" "AssertOpen.ttf.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "BackupMount.vsx" "BackupMount.vsx.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "CloseRevoke.cmd" "CloseRevoke.cmd.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "CompleteMount.inf" "CompleteMount.inf.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "CompleteShow.mpp" "CompleteShow.mpp.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "ConvertUpdate.dib" "ConvertUpdate.dib.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "desktop.ini" "desktop.ini.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "DisconnectCheckpoint.lock" "DisconnectCheckpoint.lock.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "DisconnectSuspend.ex_" "DisconnectSuspend.ex_.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "ExpandConnect.wvx" "ExpandConnect.wvx.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "ExpandRead.emf" "ExpandRead.emf.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "ExportAdd.vbe" "ExportAdd.vbe.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "FindStart.snd" "FindStart.snd.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "GrantOpen.ini" "GrantOpen.ini.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "HideRestore.svg" "HideRestore.svg.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "InstallDisconnect.asf" "InstallDisconnect.asf.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "LimitResume.avi" "LimitResume.avi.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "MergePing.mp4v" "MergePing.mp4v.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "OptimizeResize.avi" "OptimizeResize.avi.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "OutConvert.dotm" "OutConvert.dotm.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "OutResize.rmi" "OutResize.rmi.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "PingReset.vst" "PingReset.vst.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "PopRestart.scf" "PopRestart.scf.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "PublishUpdate.mp3" "PublishUpdate.mp3.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "ReadAssert.mov" "ReadAssert.mov.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "RestartSplit.xltx" "RestartSplit.xltx.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "SendImport.rm" "SendImport.rm.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "SkipEnter.rm" "SkipEnter.rm.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "SkipOptimize.avi" "SkipOptimize.avi.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "SplitPing.pub" "SplitPing.pub.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "SuspendRequest.vstm" "SuspendRequest.vstm.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "TestUnpublish.rm" "TestUnpublish.rm.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "UninstallApprove.mp4" "UninstallApprove.mp4.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "UnregisterPush.vsw" "UnregisterPush.vsw.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "UpdateSubmit.avi" "UpdateSubmit.avi.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "WaitRename.search-ms" "WaitRename.search-ms.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "WatchResume.sys" "WatchResume.sys.TROLLD.t"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir /b /a-d
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir /b /a-d
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir /b /a-d
C:\Windows\system32\certutil.exe
certutil -encode "desktop.ini" "desktop.ini.TROLLD.t"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir /b /a-d
C:\Windows\system32\certutil.exe
certutil -encode "ApproveSubmit.tif" "ApproveSubmit.tif.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "AssertExit.emf" "AssertExit.emf.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "BlockCheckpoint.tiff" "BlockCheckpoint.tiff.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "BlockOut.emz" "BlockOut.emz.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "ConfirmCopy.eps" "ConfirmCopy.eps.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "ConvertTrace.jpg" "ConvertTrace.jpg.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "DebugBlock.pcx" "DebugBlock.pcx.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "desktop.ini" "desktop.ini.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "DisconnectWait.svg" "DisconnectWait.svg.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "DismountRename.tif" "DismountRename.tif.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "EditResume.emf" "EditResume.emf.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "EnableShow.ico" "EnableShow.ico.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "ImportSync.svgz" "ImportSync.svgz.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "InitializeAssert.png" "InitializeAssert.png.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "LimitCheckpoint.png" "LimitCheckpoint.png.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "LimitEdit.svg" "LimitEdit.svg.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "My Wallpaper.jpg" "My Wallpaper.jpg.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "PingOptimize.svg" "PingOptimize.svg.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "PublishFind.bmp" "PublishFind.bmp.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "PushLimit.bmp" "PushLimit.bmp.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "ReadWait.dib" "ReadWait.dib.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "ResolveProtect.svgz" "ResolveProtect.svgz.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "ResolveUnlock.svg" "ResolveUnlock.svg.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "RestartNew.dwg" "RestartNew.dwg.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "SendUninstall.emf" "SendUninstall.emf.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "ShowRestore.bmp" "ShowRestore.bmp.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "SplitRemove.pcx" "SplitRemove.pcx.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "StartUnlock.eps" "StartUnlock.eps.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "SuspendEdit.ico" "SuspendEdit.ico.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "SwitchDisconnect.pcx" "SwitchDisconnect.pcx.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "TestConvert.dib" "TestConvert.dib.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "TestRevoke.eps" "TestRevoke.eps.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "UnregisterExpand.emz" "UnregisterExpand.emz.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "UnregisterResume.gif" "UnregisterResume.gif.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "WaitConvert.crw" "WaitConvert.crw.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "WatchConvertFrom.emf" "WatchConvertFrom.emf.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "WatchRemove.svg" "WatchRemove.svg.TROLLD.t"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir /b /a-d
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir /b /a-d
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir /b /a-d
C:\Windows\system32\certutil.exe
certutil -encode "desktop.ini" "desktop.ini.TROLLD.t"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir /b /a-d
C:\Windows\system32\certutil.exe
certutil -encode "desktop.ini" "desktop.ini.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "Everywhere.search-ms" "Everywhere.search-ms.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "Indexed Locations.search-ms" "Indexed Locations.search-ms.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "winrt--{S-1-5-21-1529757233-3489015626-3409890339-1000}-.searchconnector-ms" "winrt--{S-1-5-21-1529757233-3489015626-3409890339-1000}-.searchconnector-ms.TROLLD.t"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir /b /a-d
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir /b /a-d
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir /b /a-d
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir /b /a-d
C:\Windows\system32\certutil.exe
certutil -encode "desktop.ini" "desktop.ini.TROLLD.t"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir /b /a-d
C:\Windows\system32\certutil.exe
certutil -encode "IconCache.db" "IconCache.db.TROLLD.t"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir /b /a-d
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir /b /a-d
C:\Windows\system32\certutil.exe
certutil -encode "AssertDisable.ps1xml" "AssertDisable.ps1xml.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "CloseSave.hta" "CloseSave.hta.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "ConvertEdit.vbs" "ConvertEdit.vbs.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "EditEnable.scf" "EditEnable.scf.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "EnableEdit.wvx" "EnableEdit.wvx.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "ExitDeny.jpe" "ExitDeny.jpe.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "ExportSubmit.wm" "ExportSubmit.wm.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "FindSet.snd" "FindSet.snd.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "FindSplit.search-ms" "FindSplit.search-ms.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "GetStart.dxf" "GetStart.dxf.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "GrantStop.mp3" "GrantStop.mp3.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "GrantUse.zip" "GrantUse.zip.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "GroupComplete.sql" "GroupComplete.sql.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "GroupExport.cr2" "GroupExport.cr2.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "HideGrant.TS" "HideGrant.TS.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "JoinAssert.i64" "JoinAssert.i64.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "JoinPop.aifc" "JoinPop.aifc.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "MeasureExit.bat" "MeasureExit.bat.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "MeasureRemove.wmx" "MeasureRemove.wmx.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "MergeNew.xml" "MergeNew.xml.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "NewSearch.nfo" "NewSearch.nfo.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "NewWrite.tif" "NewWrite.tif.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "OptimizeFormat.docm" "OptimizeFormat.docm.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "OptimizeRegister.avi" "OptimizeRegister.avi.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "OutBlock.txt" "OutBlock.txt.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "PopInitialize.dib" "PopInitialize.dib.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "PopTest.png" "PopTest.png.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "PublishClear.DVR-MS" "PublishClear.DVR-MS.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "ReadRegister.cfg" "ReadRegister.cfg.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "ReadRename.ttc" "ReadRename.ttc.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "SearchConnect.css" "SearchConnect.css.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "SearchCopy.asx" "SearchCopy.asx.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "StepDismount.xlsb" "StepDismount.xlsb.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "SubmitUnlock.mpe" "SubmitUnlock.mpe.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "SwitchRename.cmd" "SwitchRename.cmd.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "TestMeasure.3gp" "TestMeasure.3gp.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "UndoPublish.3gp2" "UndoPublish.3gp2.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "UnlockMerge.iso" "UnlockMerge.iso.TROLLD.t"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir /b /a-d
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir /b /a-d
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir /b /a-d
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir /b /a-d
C:\Windows\system32\certutil.exe
certutil -encode "CDPGlobalSettings.cdp" "CDPGlobalSettings.cdp.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "Connected Devices Platform certificates.sst" "Connected Devices Platform certificates.sst.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "L.Admin.cdp" "L.Admin.cdp.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "L.Admin.cdpresource" "L.Admin.cdpresource.TROLLD.t"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir /b /a-d
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir /b /a-d
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir /b /a-d
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir /b /a-d
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir /b /a-d
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir /b /a-d
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir /b /a-d
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir /b /a-d
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir /b /a-d
C:\Windows\system32\certutil.exe
certutil -encode "AdobeSFX.log" "AdobeSFX.log.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "aria-debug-4028.log" "aria-debug-4028.log.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "BroadcastMsg_1676919695.txt" "BroadcastMsg_1676919695.txt.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "chrome_installer.log" "chrome_installer.log.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt" "dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "dd_vcredistMSI59ED.txt" "dd_vcredistMSI59ED.txt.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "dd_vcredistMSI5A1B.txt" "dd_vcredistMSI5A1B.txt.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "dd_vcredistUI59ED.txt" "dd_vcredistUI59ED.txt.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "dd_vcredistUI5A1B.txt" "dd_vcredistUI5A1B.txt.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "JavaDeployReg.log" "JavaDeployReg.log.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "jawshtml.html" "jawshtml.html.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "jusched.log" "jusched.log.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "Microsoft .NET Framework 4.7.2 Setup_20230220_185643140.html" "Microsoft .NET Framework 4.7.2 Setup_20230220_185643140.html.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "msedge_installer.log" "msedge_installer.log.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "ROBKQPFG-20230220-1902.log" "ROBKQPFG-20230220-1902.log.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "ROBKQPFG-20230220-1902a.log" "ROBKQPFG-20230220-1902a.log.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "tmp2DD8.tmp" "tmp2DD8.tmp.TROLLD.t"
C:\Windows\system32\certutil.exe
certutil -encode "tmp3048.tmp" "tmp3048.tmp.TROLLD.t"
Network
| Country | Destination | Domain | Proto |
| US | 52.152.110.14:443 | tcp | |
| US | 131.253.33.203:443 | tcp | |
| IE | 20.82.154.241:443 | tcp | |
| NL | 40.126.32.68:443 | tcp | |
| US | 8.8.8.8:53 | 2.36.159.162.in-addr.arpa | udp |
| US | 209.197.3.8:80 | tcp | |
| US | 8.8.8.8:53 | 151.122.125.40.in-addr.arpa | udp |
| NL | 20.190.160.17:443 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| NL | 20.190.160.20:443 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| NL | 40.126.32.136:443 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| NL | 40.126.32.74:443 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| NL | 40.126.32.72:443 | tcp |
Files
C:\Users\Admin\Desktop\encrypt.bat
| MD5 | 707eff8c30451caf8ad54b2c4963f676 |
| SHA1 | ee75dc9ed84c4fb244bcf9cccc825dc73dcc68e9 |
| SHA256 | ee0372d5b968d9ddf609fdbb50043f3e78169e27ac75d231d3fc5c50d3b739ed |
| SHA512 | 498237949a6626ffcf004bef6426a628d196c40c1c0fa2e3c5f77a1282dbebda45e2a0174973af6a0981fcb396324e705deabcd0afa114e9c3f5db97e23b18b5 |
C:\Users\Admin\ntuser.ini.TROLLD.t
| MD5 | 6ec5c5d06806d4ee8ff4c879cc4ce5a1 |
| SHA1 | ebaea8b9da21bcd0e5db4a18435e1b56f1c127aa |
| SHA256 | aba41c4e2ce4c10f52d0618bdbc28e5dce1c6baf5f9f6698aaa3171cbdcf09c4 |
| SHA512 | f5816b5ae372e896af4aafa40cd25aacda0e477fc5bd6adf27a761e60edf2c53ed0f08bd4c17777fe87bbd1765dbc6ba29ddbb5f1dc9fde6ec92697f384a08db |
C:\Users\Admin\ntuser.ini.TROLLD.t.t
| MD5 | 283d924ba5d1f24510424662bf190b98 |
| SHA1 | 929567979df8a4da8cdee76d88429042184c7c65 |
| SHA256 | 511a2bcf691d5f030fe6a130a62258515ee1fdb3417fc89b0db3315793bd1389 |
| SHA512 | 29d99f89a871472e9c5ee3b9d8ede7c840e33580e9fa8d1c6b0af89ce1e2335cba495a2d8105702d0d902d1215ade2328912dd284452e7e9828bb253a979596d |
C:\Users\Admin\Desktop\encrypt.bat
| MD5 | 2792a678219a24ebf42646b3ebb8138a |
| SHA1 | 848f70ce9270febf16e44ba51cc84e6d7a46e468 |
| SHA256 | 1ac7dfd8410b0c13db259c898035f1585d92ab2ac2766256e9ea3de20c5f1af4 |
| SHA512 | a5d594228b9306dd26fce323014d02172257ccf465098d01417c5e9b04a63fb749c3f03f5adc69b148f9f411a88c4750d41fbb4de1c1268b1786f02780eb3e8d |
C:\Users\Admin\ntuser.ini.TROLLD.t.t.TROLLD.t
| MD5 | e17b4cbe771f9c22cccba60329222f14 |
| SHA1 | a0f1b3f728a4563c3fe8580b70db9e1d138d729c |
| SHA256 | 8f21c46dffc827148c2a50ba79e7b695326f56bb4315729307344aceb80e49c9 |
| SHA512 | 2e8c96837ed0a5e394dcce10c0552767482f62979d2acbe86e3842e7ed998e3c42ce9b4c2a8a7b343c7f1c054067099ee110ad074bfd8eeebf48863a48e0e5fb |
C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp.TROLLD.t
| MD5 | b5fd2dafd443ba287e68bd5f2d98b7d4 |
| SHA1 | 01681b4ea9f0396f374c5b90a7292e07c37f3ec7 |
| SHA256 | 36294c4b9a7a75b602fd3f87980ab0b669567f21b681bdc254e3b26415e42d73 |
| SHA512 | 6d4712a73e83f931fd833281b717d350b5cf3a72bc476e8ac7c9c76e0502a103a0d472f70464c6a69139bdf10cb56dd597acf683ecb986a6d0fcd1f02987e5c7 |
C:\Users\Admin\3D Objects\desktop.ini.TROLLD.t
| MD5 | cc1a7d0f600d4241b9bf23ad9d40ef5c |
| SHA1 | e5f0052b036d80aa46b7b3a73253e6e49121257f |
| SHA256 | 397beb7a3bba26536a4d30e0ba632475a51f938ddf252e1c210af28b5bd21280 |
| SHA512 | 07ed82567438cf24db1e6bef6188fd30a3391382546574e7acbd8bf801b17e30810afd196c657996d44f19ac0f0de66001e924601f20069915d46d211ad62138 |
C:\Users\Admin\Contacts\desktop.ini.TROLLD.t
| MD5 | afe9b503e721360061fd8b9c48212175 |
| SHA1 | 5faf402fc31babfdd0b7eff14d35ae7052b2217a |
| SHA256 | 46d914169d5c34f6e76c5b425b01ada39a7ff01231137576c6caa8151d0b9581 |
| SHA512 | 0ff2770565e313ec8ed25d967d98650afb20a34652d8bc6b9147567f0e5bf07f903a4da8a93a5006497a5d61106553c9d5234632a27e9ba482e1441e9e7f49a0 |
C:\Users\Admin\Desktop\BackupExit.temp.TROLLD.t
| MD5 | 2217c8259c9ee7864ee039dc2212950e |
| SHA1 | 6aea6f2b0a32057466e45ffea5a0299e29bfe39a |
| SHA256 | b3f116dfe8417554dff383729eb75d14f971f90699ce74c3089111e943ae39c0 |
| SHA512 | 4ee538bd28e2e9a03aaf148e899d336a43a5513eaa4c3d4234e3fda6e12aeff012aab7648f66095ca33ebd056f649198cb8cb21d4b30ab576c8064d63293bcaa |
C:\Users\Admin\Desktop\compile.bat
| MD5 | 3659364da74648bb15f0d88a3dd48d90 |
| SHA1 | d720891032f2d00f66b587fa45a84eabe3a1bb0b |
| SHA256 | c41f99ac6144eccd2926e997e4c728c4459b85cd09d597100ec2946d74b0a357 |
| SHA512 | 0cfd222250fc106f97e11091d7550d48884bc8be9022d64dddf404c6ddf874f1845d8e25eeda47653b774eb23274e04506f80704e694dab94e7d7039cbd3630e |
C:\Users\Admin\Desktop\compile.bat.TROLLD.t
| MD5 | bd89aeaa1e53e89ecff5a8f28e954eec |
| SHA1 | edb0b4b59357172a4c41ea3e9bcaf440cddbea21 |
| SHA256 | 8f3f196c6c0d7314f7924a6dda5d5f3dd44ca302bb017eb97ea15c8b76cbe1ba |
| SHA512 | 3b69cc6780303140e81209e801d4e518652c7739a3a28c46aee5043459b9ca35e2b56a4779f5e45b03c96e74d5bc68314955857eaeab8c50416d6b183799e088 |
C:\Users\Admin\Desktop\CompleteAdd.pdf.TROLLD.t
| MD5 | 2e195dc2bb9a56d41d30218f3793ce21 |
| SHA1 | 6e362e7fa7e42c1e8602fd02f522f9a730e0a608 |
| SHA256 | 01c5935780e8023830d6502557e267bd4afb9e8284fe18a19452a5297b978b36 |
| SHA512 | d3ab392c5c76791901eee4c04aec0eee1aefd4db356c2175b3be39b74fe0de7a1864af085b42f196b4aa0c0e98c55ed3767a3e2240325206ddb75301a4982386 |
C:\Users\Admin\Desktop\ConvertFromOptimize.dll.TROLLD.t
| MD5 | 901c14831e4410c5fb669cea70a5a3c8 |
| SHA1 | 17716a8c231b0bdc76b4e12ed4c96e16c41ba6bf |
| SHA256 | e51cdafca324db834e27dada674e3ee0dad1fbab89adf68e122c1be6c834bad4 |
| SHA512 | 5c6437b89773eb088c5076ffbaaad5c5b453e639b22293c4f32552ab7bf839e4f673dc85fde64b61a80e901e08b9d30ded69feca6509eb3d031d583c1045aac6 |
C:\Users\Admin\Desktop\CopyRestart.jpe.TROLLD.t
| MD5 | 712996666ee3c90fac2e6717b5fc4564 |
| SHA1 | 7739ca393d83589dd818d547c206643ea8c613bc |
| SHA256 | 44ae175c8339f9481c945beea55b1c8f54555e12d5d1bc2ef1bce99ed377b997 |
| SHA512 | d6cba09d1a8ea14246d68721f1aacd18df1de6141232cabe662791f45754360be4735b46f1223a6cf940d4f72bcaadcb9a6f426e8697fe96d9c2af6e6ff484c0 |
C:\Users\Admin\Desktop\DebugMerge.mpe.TROLLD.t
| MD5 | a4e1644fbfa7808af499cb3242f95f98 |
| SHA1 | 68d0b17b2ec8ffc41b574ba9a792078c646bf740 |
| SHA256 | d77c104fa7ef7fba57e590b5b5fb3fe54ddd123dbc771c5d9f2e10e3ed78caf1 |
| SHA512 | e4a1c995e245d13bfcf4f20aa574422df344106acf6e9e66e9c13b7d681963819b4ee36790ff15874d5729f50825a6800761014b3d1f15937f5397f0d998f262 |
C:\Users\Admin\Desktop\desktop.ini.TROLLD.t
| MD5 | e8cec7a0ea074cc156c8533960bed43a |
| SHA1 | 6e9dced4cabb53e277a97e8333198cf7ef3330df |
| SHA256 | 338a44295bbe411c096fe17b9ba2b0ff705948f6dc49355eeb370120d4dad56b |
| SHA512 | 8b621191d41dfcb7fac6773b400ee0d0a0d93764c4bd2365c396287d55e1d0bfbce7d797fa615f0d426ea5d06d6f849cd7366f67b3b88b585ac7bc732a12876e |
C:\Users\Admin\Desktop\DismountSwitch.mp3.TROLLD.t
| MD5 | 35d61b8cb9e7aed4824c9e2adaf939db |
| SHA1 | aa6ce20bcddc080f93898d7d9f55ad88c376a435 |
| SHA256 | a0355010be8540a8aaec86e34da1a40b9e93cc73bb94899dc576ccc19ac2c5a7 |
| SHA512 | 20132221452da42e22c170f6de8307feda40e32290de2b563c2d5f8f77e6c443bacec8ce531ff21a3c5d96354113766e72dd0ee806398c561fb501dfafdfbf30 |
C:\Users\Admin\Desktop\encrypt.bat.TROLLD.t
| MD5 | af0d28a6e3295231e9f53150536a2b0c |
| SHA1 | 97e70594a7baec79afefa6b577cf00b4bc5d08a1 |
| SHA256 | dda131618f8ce220a0fd1896cbc8606e5245863fec6ebea7d670615f67e4abe5 |
| SHA512 | a63db19bde544313ede12aa51b960e77c94db5f71c7a9055ed48e28885b694dc863f37d0609b8558b9ef791db0d7157a350ff9c15d50856336a81f578d0c4949 |
C:\Users\Admin\Desktop\ExitSave.sys.TROLLD.t
| MD5 | 8b33ff1ef8d5fcb6606e20173a89f183 |
| SHA1 | 1f084a33b4cf09c942f8286112434a3a0f05c8d0 |
| SHA256 | b4a7dcea2453d12cc59e4b750034f9f331768f2cc4befd62b2d69d503802a39d |
| SHA512 | 63b5f5a25137346570a1888768a9e9e432f99e1132023956a52314ca577439633c7e5beb53cef6015d13a731bf13d7003f18b35fc1276a924de0fdb2528faadc |
C:\Users\Admin\Desktop\ImportUnblock.vbs.TROLLD.t
| MD5 | ab82ba46ff8a4bdd9d2fc00f8d1e1e0a |
| SHA1 | 88971838588af8eb90f1be42b09c3d935153e667 |
| SHA256 | 120d53179de9c0dd86507fd9cd3363c8f63776388a4a6aa1fc42908903f1914a |
| SHA512 | 2acf4eb5be5e60ba80f65921ec187b7c710f0fcc9da1124195c20a075d7a64e217f1be233d31bb1a469e00e976d5e3bb8f6cf37c23b332e478c6624ef96217e2 |
C:\Users\Admin\Desktop\JoinUnprotect.xltx.TROLLD.t
| MD5 | 01b013f035f74d777ea3e3f454a92fd2 |
| SHA1 | 1b2a4709b2c2d607999df3c6bab4fd6b05adbb1d |
| SHA256 | c183c9a425ab361ba655dbc740f97a58594391fc57ae783374dd919ee9a0637a |
| SHA512 | 9f4c25b46129b8a393db3074c1510ce34e5ff8c565aa3ad026b4d16fc170f4624548cc230b6f065eb92f18de02d42ee2784500e16af107a37ad180dbeeb3390c |
C:\Users\Admin\Desktop\LimitRead.wps.TROLLD.t
| MD5 | c71d331416c1ba6d049fe25a925b204c |
| SHA1 | 5cffd04b2033d2cc8267586c426f51560563dcfe |
| SHA256 | dfd42caa7d8873fa7f42db63e536524af83e3724e2cac7c04e61292e4f4f3c9c |
| SHA512 | e83c0bf99002dfa7bdd8438aa309605da9d3f920496912ea1702ef929d10b8c9ca3311f53de82631fb87028b7efebb51048bb74fb666f78bd520ae03d05bfb58 |
C:\Users\Admin\Desktop\MergeDisable.gif.TROLLD.t
| MD5 | dbf78c33b20cbe5616f52057966f5ac6 |
| SHA1 | 843f235dbfe923cf60d8dd99f05cb518e532a7db |
| SHA256 | ef907b1cce51ef44aad192afb2e16b4ff45522db8799245f365ea292f1aa126f |
| SHA512 | 8df795118baceb398286868bc465a26fba9d0c6630d72bbb44f66b5b7168cb38cf0d9b0c19d6f03dd5b4a5a5773e4da1376968b8b28aa4bbfd17280d4d994b3e |
C:\Users\Admin\Desktop\MergeSuspend.docx.TROLLD.t
| MD5 | a5942138c4a552e9aa8e5518e230db1d |
| SHA1 | 7373e317c7c7fc31ddb3379b0ce41ed0cfdf871e |
| SHA256 | 552bf20c562c12c12c002fc5f1d72f862b59e500b1c5f844089e67eb086d5b5c |
| SHA512 | 47da9fc75898ddde8ad7b6d6180e9b95271a1f4ddf782d0df3683ca905f67cf3abdaee01d43075710d12887ac37ae0ac54e6044aead80f377b3dc39ab6c9a8b9 |
C:\Users\Admin\Desktop\Microsoft Edge.lnk.TROLLD.t
| MD5 | 60762b1473467bac8092424bf57a802a |
| SHA1 | 82844ea975b1436e771607af8f19873feca9c41b |
| SHA256 | 5fad96b35c58ed7feb0da394ce9849bdfe1eb06772888bf4b29ea1ad52fc2369 |
| SHA512 | 80a9fe86a817cb6c7c961812b6a53313327ab89e6dbbb8944be4c965f909e1c6d889df9b54564a1c51870a0f1abf45b5dee1aabdf4081295df78d492858e5078 |
C:\Users\Admin\Desktop\OutMeasure.vssm.TROLLD.t
| MD5 | 18ee3d925b45b70f6e40b92314c8e911 |
| SHA1 | fe8829ae08ced1e2deb46cf699693716663bffc8 |
| SHA256 | aad93b481e895bfb5e56d29f2de2c8c08035baeb44854c7f2f47439f5f5934a4 |
| SHA512 | b4c2b8638cbc790c9f4d76002a051e29cd994e62e21d37914c972365213ee10ea117666d0bd677c990d4f8df9948de0d00b7604a9a5c995e99b4d326b648c9cb |
C:\Users\Admin\Desktop\ranzomware.zip.TROLLD.t
| MD5 | a983432e98ddd6064e69840ce050788f |
| SHA1 | 309e351d34b18e011922033a4741f398b4d10ad6 |
| SHA256 | ecc198dec0ec9088e4389d3d378b20f9f833da99128def9a3fc0fe8ed3f591c8 |
| SHA512 | 4595b8062bc585796c0a93b695bc5b5fc043b6acc762e62b587d47a0a88c7a09c1caaa8f054979edb2667aaa8d2bfd05424ac01274a04bbb941bf7a5d673e244 |
C:\Users\Admin\Desktop\ReadConvertTo.M2TS.TROLLD.t
| MD5 | e2b8f2d2dd12dedb58c47a657cede952 |
| SHA1 | ee4d9ad1e3c216cc1138dc9351293e07ca87e27b |
| SHA256 | aefc0d5d44cbf09e53bcd7d864f40742ebca105e575b08a9690efad1e72db8d5 |
| SHA512 | 3665b793a7ae677518507e73e1fd9b7b1a884e67dc615461180714b8fbe681bf8473aa77d95877cc25ab6e8c0a44e9894ed6b631aef117dc43a3730750b83e07 |
C:\Users\Admin\Desktop\RequestBlock.jpg.TROLLD.t
| MD5 | 5752f5d28b7e67787352463515cc4a0d |
| SHA1 | b0f0bc33365e1d09ae8d09fb380df9441e9a1324 |
| SHA256 | a531e804e92317c93ede630d70da5e0ab1ad618e9e9f5a0696839c76401a1128 |
| SHA512 | 1c2a52b30c3d034726373644df0df5676ace968dcebd825daee6055bdf938ef97aac2fd16fcbec0de7f1184b67168814b783834078c3bfafaad7858938edb8e7 |
C:\Users\Admin\Desktop\RequestSearch.ini.TROLLD.t
| MD5 | 92f91a8aaf5b41235f96b6121b09e4bf |
| SHA1 | fe6f7b07f3066c604f096802cb2e2360a4a08161 |
| SHA256 | 56e3c24cfabcca9bd1b92b612372a913ed35b88d4c7121ae3f48addfa87f64da |
| SHA512 | 5a5bb96b0db5d60817bda3243dac4de5d1ada99cc2e565ff874b392c9b4d6b5cdac503031b0833b6a13dbfcda0449b57ba819982ea07fcffe2bc7c4c9c70aa46 |
C:\Users\Admin\Desktop\ResizeSelect.mhtml.TROLLD.t
| MD5 | 854c6b900536e9aad46a8cd36c91a926 |
| SHA1 | 53c4569bb2aabdf7c7acc9ea06f53a2f4997f145 |
| SHA256 | eaeee5843f1d486e9541ec5d781f24261b9304d716963baae515cf78ee22285d |
| SHA512 | ce11164917bbebedf0c793a7872f433d4c3edd01f80317bedd86ed341b9038da5a2f68883d8113f69846e01dda646c72511255fdb23b11a95e661e353370d7b4 |
C:\Users\Admin\Desktop\RestartConvertFrom.txt.TROLLD.t
| MD5 | 86a2f0555ce80314191c11b1441691f9 |
| SHA1 | e89df9e52664c595dfa5fed55d59fcb7b5b62ea4 |
| SHA256 | e963d9bf5a4805b947ed4ff6b63e45555801cd2fbe97b9aea4976f74662d1ca6 |
| SHA512 | 1b12a26add9979403d066dd2b35faa4d1583739f9ba2a8fc7ea7c883837c0f580eb282a5ef20e5418a126e0760fda22fa5a559dc8e2d0fa3c9f4bf3b2b2d6988 |
C:\Users\Admin\Desktop\ROBKQPFG-20230220-1902.log
| MD5 | a828223d1f16939ea173da749f4d20ac |
| SHA1 | 33d797ed5621fb647ec867b5ead7e725ecd31df3 |
| SHA256 | 46447d3548b290d7ec8d3efff84a195ce9f85e31be90eefa93ca057ce9651a8e |
| SHA512 | c289a113015d7bb786cf6edb9c6aa7eee81b8512ae6c82d363fe2cc1e631eef626d7cc36d0115817b7c547c8c469faaa960c7253c543a6703ec2b049e8dec069 |
C:\Users\Admin\Desktop\ROBKQPFG-20230220-1902.log.TROLLD.t
| MD5 | 8e44d2fc581dc3cded5494f82a50a449 |
| SHA1 | 06c6b4911a6195316b4bc48471b1acf66a9114c1 |
| SHA256 | 7dec54de49e4868eabdb3c31d51eea0d299baa7108aa8f98b3fa05241c8c2676 |
| SHA512 | 56e026b1a3e7e576876d1544837597d75d0e1cd0afb2635de35cf41424991a1e550ef7ba99d93a36a1c9e19e920f508f749ed2d06ab021b3df80f847f55847d8 |
C:\Users\Admin\Desktop\SaveDebug.jpe.TROLLD.t
| MD5 | 7d7a8eef7f082dfb50dab243e8f71e38 |
| SHA1 | c7c7370e873ddafce19372f56b71951216913b47 |
| SHA256 | bd7090f6fecb7b9df368f7ba15df18782d598111870b5cc7f9552e3d33ce1db4 |
| SHA512 | 00d77ccebb5f96220fa8cb78211f4ee4a207a0b9db203f2a07d90b18ee0a95ce36f8c8c5db60eff301009f3d5b4bdb8357b09369d5a3e191710035bbd45c7268 |
C:\Users\Admin\Desktop\UnlockUse.bat.TROLLD.t
| MD5 | 761ef09428b16ce6a6520821459e19b3 |
| SHA1 | 08758af10fafaa830122b4c2af787e34de9b5ee8 |
| SHA256 | 0de09990db72717f963e1a3203bbd2ed87007981d01addbf4b75e18eb9e26ef7 |
| SHA512 | 8dbf546bd3a0e0cd93c2ad39e320af6f2d22fffdea2f3a8a5ea06aaed9bd2cbaa19575c662481c96c1cca419e1980f934a453e2ea42fa68ef02e161aa64dbb0b |
C:\Users\Admin\Desktop\UseCheckpoint.ttf.TROLLD.t
| MD5 | 015d02288d4ff99f23f043243664a022 |
| SHA1 | 2399453baba7ce1b1bc93678d0b1934da74ac7ff |
| SHA256 | 0f068761d8ffde578f40b2a9a5d7834af76b34bccd36b2e71f9074028e0209a1 |
| SHA512 | 721dbdb68bfbffa0f56f0879b6c3854fc38b90754c806e5b8dc484cc49b488f4afc93981dd2dd148b1b9cc8e400c134f9a5812c06cb37d88ee274ee509495cba |
C:\Users\Admin\Documents\AddSave.vstx.TROLLD.t
| MD5 | f9a619119c4bd756fca4f78956520829 |
| SHA1 | 9b4d38ce10cf5b668024f0473db8f3f2d4ea7ada |
| SHA256 | 6ac72786f60e58d3d38067c50eef7731d273c86b7d8633e54a896771e6e2c8e7 |
| SHA512 | f2c75fdcf3bcddf5d4d6293b239484a09de6852270ad52f57055495a6c9b11e206c4f879630447a6958cec613e40d9739cc6f4e3c0330aafa0e7235dd095d23e |
C:\Users\Admin\Documents\Are.docx.TROLLD.t
| MD5 | 2bc116de549706d63c529f56875aff01 |
| SHA1 | 434daa7624a594c02623c01adddaae67703f0ea3 |
| SHA256 | 67eff6f264fdb00a437af3992feaf2ced0d5deb93e660c43e29ce27c518e5357 |
| SHA512 | 0e44cb11df2f6db85b63df38c5008eb60d10a67283d4d1b0e5faa9b8da2701ca195e463fe2788798d47502af3129ef4482467f27b0f95e0be141fd2ac2977668 |
C:\Users\Admin\Documents\CloseAssert.pub.TROLLD.t
| MD5 | 80106ca2d6c0770578c85a2c1b2a3405 |
| SHA1 | 888e102a1e2668c4e99416d7ccbec565589c65d0 |
| SHA256 | e5128bf038b0b47cfa7c462bb086cec175844c37af1a99c6f72c8df19df8d6ec |
| SHA512 | c89f6700d1c7191826779f518b935cf2216942af9ab3e9439f7ba7ca22f9e43a94f9ed13e81ad779ba1615f5507ad38985896dc36998d95fb178c39d8b863eed |
C:\Users\Admin\Documents\ConvertFormat.xlsx.TROLLD.t
| MD5 | 18c91b88559eb802fd5803cb43e94556 |
| SHA1 | c9d6097328c2ceb542b3470aa98d5ab2da3005f2 |
| SHA256 | ae4c19d8edb626f952e7cb4a20abf192d37b8a0cae1b6917b5ec60356cdf27a0 |
| SHA512 | d660c3cf9085ba88d9d9892bb89649d1ff44f0080a30f236826ad7a0f4880cccb0287b21523da19f435c2abeb6eb3736bc9b2e1abd1f278a33978894aabc2157 |
C:\Users\Admin\Documents\desktop.ini.TROLLD.t
| MD5 | 6bac9e61111a928e406ec0ea3dd1497a |
| SHA1 | 349bb7483d9302b6e6a66d43622a7de94fbdbb31 |
| SHA256 | 46325ec9786ffbe817b0d28b8969e55e05c483f4453ed2a91cf16c625af0df21 |
| SHA512 | 7b60ccb214c7e6baa0065bb6406d1ec5272a56950d748083fcd5b82bd72e72ed0728add957584983a494953aa64404a016ab6219a8509bc8d80358edfd8c81ac |
C:\Users\Admin\Documents\EditSync.ppsm.TROLLD.t
| MD5 | fa58b29b0a860fbd65e746cc8663a77d |
| SHA1 | a2160084136e8733cabb529ffae46a17277fb039 |
| SHA256 | d3db9398f095dec0786b1e2bf3e5abed2fc0daed393f29ab5ba0cc9ee3f484ca |
| SHA512 | e90266070c9389ef3945e698a49d24027d14c28f244a40f8aa216051dbc5a5c5a6de3ffb4438d0ec50d0a9947a773270cefc03301c376787ef2c0be628009ed3 |
C:\Users\Admin\Documents\ExportGroup.mpp.TROLLD.t
| MD5 | da36a5311a6c2233862d90b8b0a6489c |
| SHA1 | 3d447acd8d53ef69a16bb063c2e7d346441acbb7 |
| SHA256 | c0fc789416f753df938db31cd8f3935a70044d917536d1e50a11c3806cccc5a2 |
| SHA512 | 769c8e51d927aed312a5e1a774c84fa03bd04fc9f9041570e23bac00fb129d7111d46cf6e7824053b824b5954b40fa0f99698f405e470bef2b2d232d0b738174 |
C:\Users\Admin\Documents\Files.docx.TROLLD.t
| MD5 | 7831430c35a8a23f33c7216c2ee25e5e |
| SHA1 | 8532f46bd96d07a58101084536aca7e496d42b8d |
| SHA256 | 1169abdb740fcf0a64ec608868a7efc7d79ccf17e3a4614bff3cae4bdd783091 |
| SHA512 | 020a23269f7687365715b22058aba3aab1083007a4cd0fa0308489309c6934131b3afd4d8da7faf4f07083e3ba332b932c24d18cdeffcdc57a23916fb9bcca22 |
C:\Users\Admin\Documents\GrantSplit.xls.TROLLD.t
| MD5 | d7601a6490dc33a9cf8c30927842d35e |
| SHA1 | b1966d0f052b6d195f3d3cb099a7738c213e3fcc |
| SHA256 | 28db492be23fe739778f8605399cd8036bf676562d5e054b73875d7b61710016 |
| SHA512 | d7941394b498836121f0a7c0ddbff201f9d68aeeb126f5dbc38020c7a96cb58ca0ed55e72c2bf4cc58bdb1bd84ccf81cbd874280fb55dc8add61286809c67710 |
C:\Users\Admin\Documents\ImportRead.xlsb.TROLLD.t
| MD5 | f2701c6772649a53bf64a359de5b78f0 |
| SHA1 | 43e03160ae56a2ce185d6035819c95ca0d7f2591 |
| SHA256 | cd3c4daf86df30b3536da558b98250d9552f54d6ca91bf0c6c97b5a0ba29c79a |
| SHA512 | 1ab75a6ef90782ef8b8b9bb541f61ef53488f96fbd471a1b24ce3e3988a19e1ede55727dc9454d71cb5bb3841bbefe6a5d0e0867eeff24e5b5668f406b7075b8 |
C:\Users\Admin\Documents\InstallSelect.dotm.TROLLD.t
| MD5 | 5e8d629d2dfb153789eebbe911f3eee9 |
| SHA1 | 47b46cf4f2f2e5fb48118cfb464ae4f5d33e5ab5 |
| SHA256 | 81e5705fd8181b31784c232b3d762aab4d0edd491fbfee7ca53b84f3c3610ade |
| SHA512 | 946f0796d5d32e1438d3f10bb9a4ce2e3b9b562bd8f33e75845f5f539bf726839ccf068cc8f49ee88a47cd0f399f11dc2984227e7a138f1d565d0ae1c3b3f921 |
C:\Users\Admin\Documents\LimitMerge.vdx.TROLLD.t
| MD5 | 69504f64459d6184284bb1590977740b |
| SHA1 | c9e671c421fbc855a2e984fd80fbe0c41ee8f9ae |
| SHA256 | 667946015525f6e88d525a0e1e8a63dd7b5a2f84528537935d584cd0ca2c562c |
| SHA512 | f410eb2a75782581859bc272a464b0c8ec69d4c3d15aa3e8ca16ee3d48a7fa4210a326bf271bc57bd0b934b3d39f345f7fdc37a864bde80cc87993ad078bf840 |
C:\Users\Admin\Documents\Opened.docx.TROLLD.t
| MD5 | 4b1de8b53816c8f3ef87f0c03d7076d1 |
| SHA1 | 0a54a2b7c09068532553249b537531309278f209 |
| SHA256 | 6862188a0b85728e0ea8e9e1d82a9d922f81b63519bbd489a811ea9faab8194b |
| SHA512 | c1457aa48c941b0b922e7dfbef0158628ff493c0d1d22a37bbf9961fbc446de5efcd50f4e7b87666ad16c15caffcbea39bb25a16cd031a1a06597fb1f048b46e |
C:\Users\Admin\Documents\PublishGroup.vstx.TROLLD.t
| MD5 | 628140550045a31015571a8259522680 |
| SHA1 | 817220e153ac61d268af02dbe164f349f23590e8 |
| SHA256 | 8e09c4779c314aa3f06f5b3073ea8d1c3d5b386886a2fa40bfedea65e37b6478 |
| SHA512 | e32047ff05dc3544483aba76e14d064a8d507208f18f8d1647cbec8a6c138ef684d65502f84af7682e27f2bbcab83a9d030a6008ce90139fc1934365fcfde632 |
C:\Users\Admin\Documents\ReadRename.vst.TROLLD.t
| MD5 | b5d8a18974973cdbaf7f939b9f596a44 |
| SHA1 | 88014ed1925f898ebaf2e2d1f0f571aa5e9ea0c8 |
| SHA256 | cf88fc02eefb7bae17f1e190538a52176871dc9634bef63436f8ae81b59e04ba |
| SHA512 | 811c635a952813c177290ba706c8065a87cd3ab01c1c1e69b5c3e3183dfa347f31b4d1b7230e82681c3302e4830adce5425ba5a0310b2345b85cd6453c0a761f |
C:\Users\Admin\Documents\Recently.docx.TROLLD.t
| MD5 | 9ce2276d50112fb241e1f130c42a225b |
| SHA1 | 0ca5d34e2c25f056827dba4cb6707836109869e0 |
| SHA256 | 1a0448f925470ffb1f1ffcd9b263b75365da09b1dd63f2f016902ff4c5eef32d |
| SHA512 | 0a3d8fdbeeb15534b81339d35dcb7e0fc679d510de5906d54a3f6b11f12f0dec10297a456910df329bc738a34b9543c20d084533529944cb086c6397dc982cb9 |
C:\Users\Admin\Documents\RedoGrant.potx.TROLLD.t
| MD5 | 475fcab2b7b381747335cd633259116d |
| SHA1 | 14af09d8834013f68fdcb9512e4032fa7c1b35e7 |
| SHA256 | 10b896ecaff41a0946c686f35b45750df2e73844d951af562c7cdb42a41279d6 |
| SHA512 | eb43b086328e37833df057bca08db24e365a78380cc0448c1a7f7c79993f95a01dea921055bcee6829eaf991d47abdd5cb5d7ed1ad26c362423b7a94e3691b19 |
C:\Users\Admin\Documents\RenameFormat.htm.TROLLD.t
| MD5 | 8adedba0da3282c444246f210f242b92 |
| SHA1 | 6c8bd7d19caf32d716107073653d997a0f1fee93 |
| SHA256 | 2a42e527f08e34b6b9f3d962e616f9cb132347627169312ae0264eecad085771 |
| SHA512 | d4ee6cb5d8a7c321e2fc3e48eb21a8446e07607a1a2f665f57a547d36914fb00e44b692a1cef8c18f01022a2220793b7c8bf37cb81e0ef0c4ccbd0585ecd6618 |
C:\Users\Admin\Documents\RestartResolve.odp.TROLLD.t
| MD5 | b4562a1e7269b06352da432369e141a4 |
| SHA1 | e5ef91c3571d13734ceb9c064d7d1889da3915e6 |
| SHA256 | a87b356bc489b3a12fbd17e78c1d8cab326eb0abb7f51cc9ebad35e1c282da18 |
| SHA512 | 0226c899ca332e361dd4001b05a9d6636714839a3c13dd6b117299a3608cf539c91e4d03f9c44adbdaac3ff7592d18d33880c53c9bf271c1b3ddbf4e7109cded |
C:\Users\Admin\Documents\ResumeMove.vsw.TROLLD.t
| MD5 | 2356d5605f5e5a8a83b6cf0d1c9c3a40 |
| SHA1 | 16efd4935da6a389952a177aa8c3ca8d1943629b |
| SHA256 | eb45bd100c4686e55be231e810b2a8aed7d7b0f3997b16ea15c9e89641f24cbc |
| SHA512 | 09fc43d8eddd5c883c7b3aaa7a7c7e36fe3cc081740342ac0c119388d4687ad25462ae05361001a6b64eaaedc1dff2953c75937f3f9da1a4584b5cd584dde3dd |
C:\Users\Admin\Documents\These.docx.TROLLD.t
| MD5 | 641c1ebd0072726b40413a3f37b5eb26 |
| SHA1 | 9965a50c12516050b337cadedff05a3ed8153b3f |
| SHA256 | 14dc5c88600f17fc627dd9d38b984ee4ca1e3c6864ef25334d12e1afbe474aa3 |
| SHA512 | 0b832e3dda22a6f200bd24c8fd870a9b2483458e9e4bdb2895b69a5cd06c90cf02bba0f8faa57707adf1cf4acfc2d18d0392761ae01cbb5ec3af5c04756f864b |
C:\Users\Admin\Documents\UnlockRestore.vsdx.TROLLD.t
| MD5 | 7bc1d9a7bc69709783305dbc1192d055 |
| SHA1 | 4f93b1fa37624ca79dda88bba87e14fb47e1f1d1 |
| SHA256 | 6bb122a2f5716854fefaaeda53558542dbd8800fceebee9a3829275e5707a635 |
| SHA512 | d541078332633262e80d3dd45dbbf80273d87a61b54382ad6ccb9ae7c2a640f648b9673f7606051a12233f4b8d56b67186d93f69bb11a8772053a2bf0a330d6a |
C:\Users\Admin\Documents\UnprotectSet.vsx.TROLLD.t
| MD5 | 4d119ddac2436c7fa3384d077cc82083 |
| SHA1 | f073ea83509a8a90601c54e31dc435a852aa8233 |
| SHA256 | 7cd2a6c58e7fac5ec37448fddfdbb57db96c856beb4ac4417d77d7e80386b0f5 |
| SHA512 | 4f48636165e0fc121b0c955d9d707f135a5e2c5a597d83cfcd8f39df0384c9d0ec00789c4cea8b5f5c72ce9eb7f621a4231d7f37a1005b06ab9374120467da59 |
C:\Users\Admin\Downloads\AssertReceive.ogg.TROLLD.t
| MD5 | 67d2901659311e6a7f6678063fb7dcdc |
| SHA1 | c8dabeeae9d9a8e30dc482d9ac7c0c98509df79b |
| SHA256 | 4157011cc92ee747f06657f302056486b37225283e6cccf772a1a08eb300497e |
| SHA512 | 22253b7eb3eb7089f7eaf5e8b9e456e1a0d6621b9fdbfc16d7df28a6f147f7889d829fb3fe22e57baf039424c27c739bf2eb1e5249b7aee4a3e3eade37a2d9a4 |
C:\Users\Admin\Downloads\ConvertOpen.vstm.TROLLD.t
| MD5 | 2e9675cdea36e51621a1179e649fc03b |
| SHA1 | 6c8477a469700a586ed2030c48ab9c8dc2a6dec8 |
| SHA256 | b6847c4688532ed7455b0c81fd7bd8dbf596b30cde9f1cda1043ddf18bed384e |
| SHA512 | 879bf6f7d5bd3eccb54f242ce1dafa25f97123fb22894548adde52de0371db8ba3083105edf59e14febcb55d1122f9127d9c8b81611574ed18f0f90b2ba32d27 |
C:\Users\Admin\Downloads\CopyDebug.ex_.TROLLD.t
| MD5 | 7e04a4509aed3ad940cdd15a67613a4d |
| SHA1 | f9cf03da25bb0ddae55e60de2bf54a2a1ebc89cf |
| SHA256 | 5bbfea51af6a8bc9c65de24ea6c0f5fc8f0263ce3b632ea929ffdaa2906ed851 |
| SHA512 | 37884ac03c5385345c457c37ba6ead92a27d0c7b4837270b6ec315ead64b837228c810950366102602c04563e35225fef377c44ebc66c233bacdbfb68dcf9566 |
C:\Users\Admin\Downloads\CopySwitch.dot.TROLLD.t
| MD5 | 2d85b6481e267107cba81fd183462528 |
| SHA1 | 3646ba5add02842b4fc3fe23dc42e9dfa6cbb3ee |
| SHA256 | 727d036d41673935e6af7c0af3dc60b274b0fdf71a9bcef679911ed022505b6a |
| SHA512 | 0c80b8514000bc02992a2b21fb249f62bdc3a2ea92d2ce920f341348a8b896c3f2d02c73c8af38f00fbdbaacac8ab2c8c1e5b26b5e9232abf904fcad0f0fc2c4 |