da18f877a9e00463bc59236c3f4c7b93bd964b67aa6f7628a240df84c8a07971

Analysis

max time kernel
79s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
15-04-2023 01:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ranzomware.zip
Size

524B
MD5

e8376f0c3ebbc28144ef40453c563370
SHA1

91efa1481b11230f374c494f116cbce078947c2d
SHA256

da18f877a9e00463bc59236c3f4c7b93bd964b67aa6f7628a240df84c8a07971
SHA512

590af65d0346273c23d0e6474b7bc1765ab43af449c135d3dff4641849c53727effe7b82c417c782a0e066844e271fd157a6ec8086f628a736b659a832b2a1c0

Score

8^/10

ransomware spyware stealer

Malware Config

Signatures

Modifies extensions of user files 10 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\HideAdd.png.TROLLD.t => C:\Users\Admin\Pictures\HideAdd.png.TROLLD	cmd.exe
File created	C:\Users\Admin\Pictures\JoinResolve.png.TROLLD.t	certutil.exe
File renamed	C:\Users\Admin\Pictures\SearchClose.tiff.TROLLD.t => C:\Users\Admin\Pictures\SearchClose.tiff.TROLLD	cmd.exe
File created	C:\Users\Admin\Pictures\ShowExpand.tiff.TROLLD.t	certutil.exe
File renamed	C:\Users\Admin\Pictures\ShowExpand.tiff.TROLLD.t => C:\Users\Admin\Pictures\ShowExpand.tiff.TROLLD	cmd.exe
File created	C:\Users\Admin\Pictures\ExitFind.tif.TROLLD.t	certutil.exe
File renamed	C:\Users\Admin\Pictures\ExitFind.tif.TROLLD.t => C:\Users\Admin\Pictures\ExitFind.tif.TROLLD	cmd.exe
File created	C:\Users\Admin\Pictures\HideAdd.png.TROLLD.t	certutil.exe
File renamed	C:\Users\Admin\Pictures\JoinResolve.png.TROLLD.t => C:\Users\Admin\Pictures\JoinResolve.png.TROLLD	cmd.exe
File created	C:\Users\Admin\Pictures\SearchClose.tiff.TROLLD.t	certutil.exe

Deletes itself 1 IoCs

pid	Process
1492	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1424	NOTEPAD.EXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	2000	7zG.exe
Token: 35	2000	7zG.exe
Token: SeSecurityPrivilege	2000	7zG.exe
Token: SeSecurityPrivilege	2000	7zG.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2000	7zG.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1492 wrote to memory of 752	1492	cmd.exe	34
PID 1492 wrote to memory of 752	1492	cmd.exe	34
PID 1492 wrote to memory of 752	1492	cmd.exe	34
PID 1492 wrote to memory of 1052	1492	cmd.exe	35
PID 1492 wrote to memory of 1052	1492	cmd.exe	35
PID 1492 wrote to memory of 1052	1492	cmd.exe	35
PID 1492 wrote to memory of 1524	1492	cmd.exe	36
PID 1492 wrote to memory of 1524	1492	cmd.exe	36
PID 1492 wrote to memory of 1524	1492	cmd.exe	36
PID 1492 wrote to memory of 1332	1492	cmd.exe	37
PID 1492 wrote to memory of 1332	1492	cmd.exe	37
PID 1492 wrote to memory of 1332	1492	cmd.exe	37
PID 1492 wrote to memory of 1964	1492	cmd.exe	38
PID 1492 wrote to memory of 1964	1492	cmd.exe	38
PID 1492 wrote to memory of 1964	1492	cmd.exe	38
PID 1492 wrote to memory of 1960	1492	cmd.exe	39
PID 1492 wrote to memory of 1960	1492	cmd.exe	39
PID 1492 wrote to memory of 1960	1492	cmd.exe	39
PID 1492 wrote to memory of 1812	1492	cmd.exe	40
PID 1492 wrote to memory of 1812	1492	cmd.exe	40
PID 1492 wrote to memory of 1812	1492	cmd.exe	40
PID 1492 wrote to memory of 1936	1492	cmd.exe	41
PID 1492 wrote to memory of 1936	1492	cmd.exe	41
PID 1492 wrote to memory of 1936	1492	cmd.exe	41
PID 1492 wrote to memory of 1676	1492	cmd.exe	42
PID 1492 wrote to memory of 1676	1492	cmd.exe	42
PID 1492 wrote to memory of 1676	1492	cmd.exe	42
PID 1492 wrote to memory of 1628	1492	cmd.exe	43
PID 1492 wrote to memory of 1628	1492	cmd.exe	43
PID 1492 wrote to memory of 1628	1492	cmd.exe	43
PID 1492 wrote to memory of 1780	1492	cmd.exe	44
PID 1492 wrote to memory of 1780	1492	cmd.exe	44
PID 1492 wrote to memory of 1780	1492	cmd.exe	44
PID 1492 wrote to memory of 960	1492	cmd.exe	45
PID 1492 wrote to memory of 960	1492	cmd.exe	45
PID 1492 wrote to memory of 960	1492	cmd.exe	45
PID 1492 wrote to memory of 1612	1492	cmd.exe	46
PID 1492 wrote to memory of 1612	1492	cmd.exe	46
PID 1492 wrote to memory of 1612	1492	cmd.exe	46
PID 1492 wrote to memory of 1300	1492	cmd.exe	47
PID 1492 wrote to memory of 1300	1492	cmd.exe	47
PID 1492 wrote to memory of 1300	1492	cmd.exe	47
PID 1492 wrote to memory of 2032	1492	cmd.exe	48
PID 1492 wrote to memory of 2032	1492	cmd.exe	48
PID 1492 wrote to memory of 2032	1492	cmd.exe	48
PID 1492 wrote to memory of 1688	1492	cmd.exe	49
PID 1492 wrote to memory of 1688	1492	cmd.exe	49
PID 1492 wrote to memory of 1688	1492	cmd.exe	49
PID 1492 wrote to memory of 1348	1492	cmd.exe	50
PID 1492 wrote to memory of 1348	1492	cmd.exe	50
PID 1492 wrote to memory of 1348	1492	cmd.exe	50
PID 1492 wrote to memory of 776	1492	cmd.exe	51
PID 1492 wrote to memory of 776	1492	cmd.exe	51
PID 1492 wrote to memory of 776	1492	cmd.exe	51
PID 1492 wrote to memory of 808	1492	cmd.exe	52
PID 1492 wrote to memory of 808	1492	cmd.exe	52
PID 1492 wrote to memory of 808	1492	cmd.exe	52
PID 1492 wrote to memory of 1060	1492	cmd.exe	53
PID 1492 wrote to memory of 1060	1492	cmd.exe	53
PID 1492 wrote to memory of 1060	1492	cmd.exe	53
PID 1492 wrote to memory of 324	1492	cmd.exe	54
PID 1492 wrote to memory of 324	1492	cmd.exe	54
PID 1492 wrote to memory of 324	1492	cmd.exe	54
PID 1492 wrote to memory of 948	1492	cmd.exe	55

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\ranzomware.zip
1⤵
PID:1012

C:\Windows\system32\verclsid.exe
"C:\Windows\system32\verclsid.exe" /S /C {0B2C9183-C9FA-4C53-AE21-C900B0C39965} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x401
1⤵
PID:2012

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap7089:78:7zEvent15632
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2000

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\encrypt.bat
1⤵
- Opens file in notepad (likely ransom note)
PID:1424

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\Desktop\encrypt.bat" "
1⤵
- Modifies extensions of user files
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1492
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b /a-d
  2⤵
  PID:752
- C:\Windows\system32\certutil.exe
  certutil -encode "deployment.properties" "deployment.properties.TROLLD.t"
  2⤵
  PID:1052
- C:\Windows\system32\certutil.exe
  certutil -encode "NTUSER.DAT" "NTUSER.DAT.TROLLD.t"
  2⤵
  PID:1524
- C:\Windows\system32\certutil.exe
  certutil -encode "ntuser.dat.LOG1" "ntuser.dat.LOG1.TROLLD.t"
  2⤵
  PID:1332
- C:\Windows\system32\certutil.exe
  certutil -encode "ntuser.dat.LOG2" "ntuser.dat.LOG2.TROLLD.t"
  2⤵
  PID:1964
- C:\Windows\system32\certutil.exe
  certutil -encode "NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf" "NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf.TROLLD.t"
  2⤵
  PID:1960
- C:\Windows\system32\certutil.exe
  certutil -encode "NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms" "NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms.TROLLD.t"
  2⤵
  PID:1812
- C:\Windows\system32\certutil.exe
  certutil -encode "NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms" "NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms.TROLLD.t"
  2⤵
  PID:1936
- C:\Windows\system32\certutil.exe
  certutil -encode "ntuser.ini" "ntuser.ini.TROLLD.t"
  2⤵
  PID:1676
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b /s /ad
  2⤵
  PID:1628
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b /a-d
  2⤵
  PID:1780
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b /a-d
  2⤵
  PID:960
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b /a-d
  2⤵
  PID:1612
- C:\Windows\system32\certutil.exe
  certutil -encode "Admin.contact" "Admin.contact.TROLLD.t"
  2⤵
  PID:1300
- C:\Windows\system32\certutil.exe
  certutil -encode "desktop.ini" "desktop.ini.TROLLD.t"
  2⤵
  PID:2032
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b /a-d
  2⤵
  PID:1688
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b /a-d
  2⤵
  PID:1348
- C:\Windows\system32\certutil.exe
  certutil -encode "ApprovePublish.jpg" "ApprovePublish.jpg.TROLLD.t"
  2⤵
  PID:776
- C:\Windows\system32\certutil.exe
  certutil -encode "AssertSend.ADTS" "AssertSend.ADTS.TROLLD.t"
  2⤵
  PID:808
- C:\Windows\system32\certutil.exe
  certutil -encode "ClearHide.xml" "ClearHide.xml.TROLLD.t"
  2⤵
  PID:1060
- C:\Windows\system32\certutil.exe
  certutil -encode "compile.bat" "compile.bat.TROLLD.t"
  2⤵
  PID:324
- C:\Windows\system32\certutil.exe
  certutil -encode "desktop.ini" "desktop.ini.TROLLD.t"
  2⤵
  PID:948
- C:\Windows\system32\certutil.exe
  certutil -encode "encrypt.bat" "encrypt.bat.TROLLD.t"
  2⤵
  PID:1924
- C:\Windows\system32\certutil.exe
  certutil -encode "GroupLimit.xml" "GroupLimit.xml.TROLLD.t"
  2⤵
  PID:1604
- C:\Windows\system32\certutil.exe
  certutil -encode "HideClear.wmv" "HideClear.wmv.TROLLD.t"
  2⤵
  PID:1912
- C:\Windows\system32\certutil.exe
  certutil -encode "ImportProtect.vsd" "ImportProtect.vsd.TROLLD.t"
  2⤵
  PID:1012
- C:\Windows\system32\certutil.exe
  certutil -encode "InstallStop.wvx" "InstallStop.wvx.TROLLD.t"
  2⤵
  PID:1072
- C:\Windows\system32\certutil.exe
  certutil -encode "PopStep.aif" "PopStep.aif.TROLLD.t"
  2⤵
  PID:1540
- C:\Windows\system32\certutil.exe
  certutil -encode "ranzomware.zip" "ranzomware.zip.TROLLD.t"
  2⤵
  PID:1192
- C:\Windows\system32\certutil.exe
  certutil -encode "RegisterComplete.m1v" "RegisterComplete.m1v.TROLLD.t"
  2⤵
  PID:2012
- C:\Windows\system32\certutil.exe
  certutil -encode "RequestConvertFrom.emf" "RequestConvertFrom.emf.TROLLD.t"
  2⤵
  PID:1536
- C:\Windows\system32\certutil.exe
  certutil -encode "ResumeDisconnect.cr2" "ResumeDisconnect.cr2.TROLLD.t"
  2⤵
  PID:1132
- C:\Windows\system32\certutil.exe
  certutil -encode "SearchApprove.3gpp" "SearchApprove.3gpp.TROLLD.t"
  2⤵
  PID:680
- C:\Windows\system32\certutil.exe
  certutil -encode "SetUnprotect.zip" "SetUnprotect.zip.TROLLD.t"
  2⤵
  PID:1656
- C:\Windows\system32\certutil.exe
  certutil -encode "SetUnpublish.vstx" "SetUnpublish.vstx.TROLLD.t"
  2⤵
  PID:1440
- C:\Windows\system32\certutil.exe
  certutil -encode "SplitGrant.ps1" "SplitGrant.ps1.TROLLD.t"
  2⤵
  PID:1672
- C:\Windows\system32\certutil.exe
  certutil -encode "StepSplit.vb" "StepSplit.vb.TROLLD.t"
  2⤵
  PID:1796
- C:\Windows\system32\certutil.exe
  certutil -encode "StopFind.jpg" "StopFind.jpg.TROLLD.t"
  2⤵
  PID:1848
- C:\Windows\system32\certutil.exe
  certutil -encode "TestSplit.dxf" "TestSplit.dxf.TROLLD.t"
  2⤵
  PID:620
- C:\Windows\system32\certutil.exe
  certutil -encode "TestWatch.zip" "TestWatch.zip.TROLLD.t"
  2⤵
  PID:920
- C:\Windows\system32\certutil.exe
  certutil -encode "TraceRename.ogg" "TraceRename.ogg.TROLLD.t"
  2⤵
  PID:1424
- C:\Windows\system32\certutil.exe
  certutil -encode "UninstallShow.3gp2" "UninstallShow.3gp2.TROLLD.t"
  2⤵
  PID:752
- C:\Windows\system32\certutil.exe
  certutil -encode "UnprotectShow.mp4" "UnprotectShow.mp4.TROLLD.t"
  2⤵
  PID:1304
- C:\Windows\system32\certutil.exe
  certutil -encode "UpdateStep.lnk" "UpdateStep.lnk.TROLLD.t"
  2⤵
  PID:1332
- C:\Windows\system32\certutil.exe
  certutil -encode "WriteRename.ADTS" "WriteRename.ADTS.TROLLD.t"
  2⤵
  PID:1960
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b /a-d
  2⤵
  PID:1936
- C:\Windows\system32\certutil.exe
  certutil -encode "Are.docx" "Are.docx.TROLLD.t"
  2⤵
  PID:1708
- C:\Windows\system32\certutil.exe
  certutil -encode "AssertRename.xlsx" "AssertRename.xlsx.TROLLD.t"
  2⤵
  PID:1628
- C:\Windows\system32\certutil.exe
  certutil -encode "BackupOpen.xlsx" "BackupOpen.xlsx.TROLLD.t"
  2⤵
  PID:960
- C:\Windows\system32\certutil.exe
  certutil -encode "CompressDismount.docx" "CompressDismount.docx.TROLLD.t"
  2⤵
  PID:912
- C:\Windows\system32\certutil.exe
  certutil -encode "ConvertFromUnpublish.htm" "ConvertFromUnpublish.htm.TROLLD.t"
  2⤵
  PID:1768
- C:\Windows\system32\certutil.exe
  certutil -encode "CopySplit.potm" "CopySplit.potm.TROLLD.t"
  2⤵
  PID:1688
- C:\Windows\system32\certutil.exe
  certutil -encode "DebugRedo.xlsb" "DebugRedo.xlsb.TROLLD.t"
  2⤵
  PID:1772
- C:\Windows\system32\certutil.exe
  certutil -encode "desktop.ini" "desktop.ini.TROLLD.t"
  2⤵
  PID:608
- C:\Windows\system32\certutil.exe
  certutil -encode "DisableConvertFrom.xla" "DisableConvertFrom.xla.TROLLD.t"
  2⤵
  PID:1976
- C:\Windows\system32\certutil.exe
  certutil -encode "DisconnectResume.pps" "DisconnectResume.pps.TROLLD.t"
  2⤵
  PID:1084
- C:\Windows\system32\certutil.exe
  certutil -encode "DisconnectWrite.ppsm" "DisconnectWrite.ppsm.TROLLD.t"
  2⤵
  PID:844
- C:\Windows\system32\certutil.exe
  certutil -encode "Files.docx" "Files.docx.TROLLD.t"
  2⤵
  PID:1864
- C:\Windows\system32\certutil.exe
  certutil -encode "GetGrant.vsd" "GetGrant.vsd.TROLLD.t"
  2⤵
  PID:1956
- C:\Windows\system32\certutil.exe
  certutil -encode "GroupConnect.vsdm" "GroupConnect.vsdm.TROLLD.t"
  2⤵
  PID:1272
- C:\Windows\system32\certutil.exe
  certutil -encode "InvokeFormat.vsx" "InvokeFormat.vsx.TROLLD.t"
  2⤵
  PID:1012
- C:\Windows\system32\certutil.exe
  certutil -encode "MoveGet.pptm" "MoveGet.pptm.TROLLD.t"
  2⤵
  PID:1072
- C:\Windows\system32\certutil.exe
  certutil -encode "Opened.docx" "Opened.docx.TROLLD.t"
  2⤵
  PID:1540
- C:\Windows\system32\certutil.exe
  certutil -encode "OutFormat.vsd" "OutFormat.vsd.TROLLD.t"
  2⤵
  PID:1192
- C:\Windows\system32\certutil.exe
  certutil -encode "PingApprove.xla" "PingApprove.xla.TROLLD.t"
  2⤵
  PID:2012
- C:\Windows\system32\certutil.exe
  certutil -encode "PingCompress.vstm" "PingCompress.vstm.TROLLD.t"
  2⤵
  PID:1536
- C:\Windows\system32\certutil.exe
  certutil -encode "PingImport.mht" "PingImport.mht.TROLLD.t"
  2⤵
  PID:1132
- C:\Windows\system32\certutil.exe
  certutil -encode "PopTrace.vst" "PopTrace.vst.TROLLD.t"
  2⤵
  PID:680
- C:\Windows\system32\certutil.exe
  certutil -encode "PushStep.dotx" "PushStep.dotx.TROLLD.t"
  2⤵
  PID:1656
- C:\Windows\system32\certutil.exe
  certutil -encode "Recently.docx" "Recently.docx.TROLLD.t"
  2⤵
  PID:1440
- C:\Windows\system32\certutil.exe
  certutil -encode "RemoveSkip.vsx" "RemoveSkip.vsx.TROLLD.t"
  2⤵
  PID:1672
- C:\Windows\system32\certutil.exe
  certutil -encode "RequestConnect.xlsb" "RequestConnect.xlsb.TROLLD.t"
  2⤵
  PID:1000
- C:\Windows\system32\certutil.exe
  certutil -encode "RestartMount.mpp" "RestartMount.mpp.TROLLD.t"
  2⤵
  PID:1804
- C:\Windows\system32\certutil.exe
  certutil -encode "RestartRestore.wps" "RestartRestore.wps.TROLLD.t"
  2⤵
  PID:1324
- C:\Windows\system32\certutil.exe
  certutil -encode "RestoreJoin.ppsm" "RestoreJoin.ppsm.TROLLD.t"
  2⤵
  PID:1360
- C:\Windows\system32\certutil.exe
  certutil -encode "SaveDebug.xml" "SaveDebug.xml.TROLLD.t"
  2⤵
  PID:1424
- C:\Windows\system32\certutil.exe
  certutil -encode "SaveGroup.dot" "SaveGroup.dot.TROLLD.t"
  2⤵
  PID:752
- C:\Windows\system32\certutil.exe
  certutil -encode "SkipGrant.vst" "SkipGrant.vst.TROLLD.t"
  2⤵
  PID:1524
- C:\Windows\system32\certutil.exe
  certutil -encode "StartInstall.doc" "StartInstall.doc.TROLLD.t"
  2⤵
  PID:1952
- C:\Windows\system32\certutil.exe
  certutil -encode "StopCompare.xls" "StopCompare.xls.TROLLD.t"
  2⤵
  PID:1332
- C:\Windows\system32\certutil.exe
  certutil -encode "StopPop.vsw" "StopPop.vsw.TROLLD.t"
  2⤵
  PID:1808
- C:\Windows\system32\certutil.exe
  certutil -encode "These.docx" "These.docx.TROLLD.t"
  2⤵
  PID:564
- C:\Windows\system32\certutil.exe
  certutil -encode "UpdateStart.vssm" "UpdateStart.vssm.TROLLD.t"
  2⤵
  PID:1676
- C:\Windows\system32\certutil.exe
  certutil -encode "UseCompare.ppsx" "UseCompare.ppsx.TROLLD.t"
  2⤵
  PID:1780
- C:\Windows\system32\certutil.exe
  certutil -encode "WaitExpand.pptx" "WaitExpand.pptx.TROLLD.t"
  2⤵
  PID:936
- C:\Windows\system32\certutil.exe
  certutil -encode "WriteSend.potm" "WriteSend.potm.TROLLD.t"
  2⤵
  PID:960
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b /a-d
  2⤵
  PID:1300
- C:\Windows\system32\certutil.exe
  certutil -encode "AssertJoin.wmv" "AssertJoin.wmv.TROLLD.t"
  2⤵
  PID:1312
- C:\Windows\system32\certutil.exe
  certutil -encode "BackupApprove.ppt" "BackupApprove.ppt.TROLLD.t"
  2⤵
  PID:1768
- C:\Windows\system32\certutil.exe
  certutil -encode "CompleteOpen.clr" "CompleteOpen.clr.TROLLD.t"
  2⤵
  PID:1448
- C:\Windows\system32\certutil.exe
  certutil -encode "ConnectGrant.mp2" "ConnectGrant.mp2.TROLLD.t"
  2⤵
  PID:428
- C:\Windows\system32\certutil.exe
  certutil -encode "ConvertFromNew.wav" "ConvertFromNew.wav.TROLLD.t"
  2⤵
  PID:1080
- C:\Windows\system32\certutil.exe
  certutil -encode "ConvertToInstall.xsl" "ConvertToInstall.xsl.TROLLD.t"
  2⤵
  PID:608
- C:\Windows\system32\certutil.exe
  certutil -encode "CopyProtect.wav" "CopyProtect.wav.TROLLD.t"
  2⤵
  PID:1060
- C:\Windows\system32\certutil.exe
  certutil -encode "CopyUnblock.vsd" "CopyUnblock.vsd.TROLLD.t"
  2⤵
  PID:324
- C:\Windows\system32\certutil.exe
  certutil -encode "DebugSubmit.cr2" "DebugSubmit.cr2.TROLLD.t"
  2⤵
  PID:868
- C:\Windows\system32\certutil.exe
  certutil -encode "DenyPop.3gpp" "DenyPop.3gpp.TROLLD.t"
  2⤵
  PID:844
- C:\Windows\system32\certutil.exe
  certutil -encode "DenySuspend.edrwx" "DenySuspend.edrwx.TROLLD.t"
  2⤵
  PID:1140
- C:\Windows\system32\certutil.exe
  certutil -encode "desktop.ini" "desktop.ini.TROLLD.t"
  2⤵
  PID:1604
- C:\Windows\system32\certutil.exe
  certutil -encode "DisconnectUnblock.potm" "DisconnectUnblock.potm.TROLLD.t"
  2⤵
  PID:1568
- C:\Windows\system32\certutil.exe
  certutil -encode "EditLock.ini" "EditLock.ini.TROLLD.t"
  2⤵
  PID:1272
- C:\Windows\system32\certutil.exe
  certutil -encode "EnterConvertTo.mpa" "EnterConvertTo.mpa.TROLLD.t"
  2⤵
  PID:1564
- C:\Windows\system32\certutil.exe
  certutil -encode "ExpandUninstall.asf" "ExpandUninstall.asf.TROLLD.t"
  2⤵
  PID:1660
- C:\Windows\system32\certutil.exe
  certutil -encode "FindSwitch.tiff" "FindSwitch.tiff.TROLLD.t"
  2⤵
  PID:1072
- C:\Windows\system32\certutil.exe
  certutil -encode "ImportRepair.dotx" "ImportRepair.dotx.TROLLD.t"
  2⤵
  PID:852
- C:\Windows\system32\certutil.exe
  certutil -encode "InitializePop.001" "InitializePop.001.TROLLD.t"
  2⤵
  PID:1752
- C:\Windows\system32\certutil.exe
  certutil -encode "InstallLimit.ocx" "InstallLimit.ocx.TROLLD.t"
  2⤵
  PID:340
- C:\Windows\system32\certutil.exe
  certutil -encode "InstallRegister.xps" "InstallRegister.xps.TROLLD.t"
  2⤵
  PID:2012
- C:\Windows\system32\certutil.exe
  certutil -encode "InvokeNew.wmv" "InvokeNew.wmv.TROLLD.t"
  2⤵
  PID:468
- C:\Windows\system32\certutil.exe
  certutil -encode "JoinSync.vst" "JoinSync.vst.TROLLD.t"
  2⤵
  PID:520
- C:\Windows\system32\certutil.exe
  certutil -encode "LockConvertTo.iso" "LockConvertTo.iso.TROLLD.t"
  2⤵
  PID:964
- C:\Windows\system32\certutil.exe
  certutil -encode "MeasureReceive.ppt" "MeasureReceive.ppt.TROLLD.t"
  2⤵
  PID:1648
- C:\Windows\system32\certutil.exe
  certutil -encode "OutEnter.m3u" "OutEnter.m3u.TROLLD.t"
  2⤵
  PID:1656
- C:\Windows\system32\certutil.exe
  certutil -encode "PingImport.xml" "PingImport.xml.TROLLD.t"
  2⤵
  PID:1696
- C:\Windows\system32\certutil.exe
  certutil -encode "ReceiveOut.ogg" "ReceiveOut.ogg.TROLLD.t"
  2⤵
  PID:1384
- C:\Windows\system32\certutil.exe
  certutil -encode "RegisterStart.mp4v" "RegisterStart.mp4v.TROLLD.t"
  2⤵
  PID:1796
- C:\Windows\system32\certutil.exe
  certutil -encode "ResolveGroup.ico" "ResolveGroup.ico.TROLLD.t"
  2⤵
  PID:1000
- C:\Windows\system32\certutil.exe
  certutil -encode "RestartCompress.3gp2" "RestartCompress.3gp2.TROLLD.t"
  2⤵
  PID:1800
- C:\Windows\system32\certutil.exe
  certutil -encode "RestoreUnregister.gif" "RestoreUnregister.gif.TROLLD.t"
  2⤵
  PID:316
- C:\Windows\system32\certutil.exe
  certutil -encode "SearchMeasure.jpeg" "SearchMeasure.jpeg.TROLLD.t"
  2⤵
  PID:920
- C:\Windows\system32\certutil.exe
  certutil -encode "SkipSave.aif" "SkipSave.aif.TROLLD.t"
  2⤵
  PID:1360
- C:\Windows\system32\certutil.exe
  certutil -encode "TraceRegister.mpeg" "TraceRegister.mpeg.TROLLD.t"
  2⤵
  PID:1372
- C:\Windows\system32\certutil.exe
  certutil -encode "UninstallUpdate.dwfx" "UninstallUpdate.dwfx.TROLLD.t"
  2⤵
  PID:1236
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b /a-d
  2⤵
  PID:1304
- C:\Windows\system32\certutil.exe
  certutil -encode "desktop.ini" "desktop.ini.TROLLD.t"
  2⤵
  PID:1524
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b /a-d
  2⤵
  PID:1952
- C:\Windows\system32\certutil.exe
  certutil -encode "desktop.ini" "desktop.ini.TROLLD.t"
  2⤵
  PID:1408
- C:\Windows\system32\certutil.exe
  certutil -encode "Desktop.lnk" "Desktop.lnk.TROLLD.t"
  2⤵
  PID:1960
- C:\Windows\system32\certutil.exe
  certutil -encode "Downloads.lnk" "Downloads.lnk.TROLLD.t"
  2⤵
  PID:1936
- C:\Windows\system32\certutil.exe
  certutil -encode "RecentPlaces.lnk" "RecentPlaces.lnk.TROLLD.t"
  2⤵
  PID:1708
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b /a-d
  2⤵
  PID:1136
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b /a-d
  2⤵
  PID:560
- C:\Windows\system32\certutil.exe
  certutil -encode "ClearSync.csv" "ClearSync.csv.TROLLD.t"
  2⤵
  PID:936
- C:\Windows\system32\certutil.exe
  certutil -encode "CompressConvertFrom.jpg" "CompressConvertFrom.jpg.TROLLD.t"
  2⤵
  PID:960
- C:\Windows\system32\certutil.exe
  certutil -encode "desktop.ini" "desktop.ini.TROLLD.t"
  2⤵
  PID:1180
- C:\Windows\system32\certutil.exe
  certutil -encode "DismountBlock.wmx" "DismountBlock.wmx.TROLLD.t"
  2⤵
  PID:1348
- C:\Windows\system32\certutil.exe
  certutil -encode "DismountEdit.mht" "DismountEdit.mht.TROLLD.t"
  2⤵
  PID:1740
- C:\Windows\system32\certutil.exe
  certutil -encode "EditSubmit.mpv2" "EditSubmit.mpv2.TROLLD.t"
  2⤵
  PID:1772
- C:\Windows\system32\certutil.exe
  certutil -encode "EnableMount.dotm" "EnableMount.dotm.TROLLD.t"
  2⤵
  PID:808
- C:\Windows\system32\certutil.exe
  certutil -encode "FormatInitialize.xla" "FormatInitialize.xla.TROLLD.t"
  2⤵
  PID:1404
- C:\Windows\system32\certutil.exe
  certutil -encode "GroupEnable.i64" "GroupEnable.i64.TROLLD.t"
  2⤵
  PID:2020
- C:\Windows\system32\certutil.exe
  certutil -encode "HideRequest.wav" "HideRequest.wav.TROLLD.t"
  2⤵
  PID:1084
- C:\Windows\system32\certutil.exe
  certutil -encode "HideRestore.vstm" "HideRestore.vstm.TROLLD.t"
  2⤵
  PID:904
- C:\Windows\system32\certutil.exe
  certutil -encode "ImportEnter.M2TS" "ImportEnter.M2TS.TROLLD.t"
  2⤵
  PID:1924
- C:\Windows\system32\certutil.exe
  certutil -encode "InvokeGrant.pptx" "InvokeGrant.pptx.TROLLD.t"
  2⤵
  PID:1600
- C:\Windows\system32\certutil.exe
  certutil -encode "InvokePing.rar" "InvokePing.rar.TROLLD.t"
  2⤵
  PID:1956
- C:\Windows\system32\certutil.exe
  certutil -encode "MoveInstall.rm" "MoveInstall.rm.TROLLD.t"
  2⤵
  PID:1912
- C:\Windows\system32\certutil.exe
  certutil -encode "PopSet.xls" "PopSet.xls.TROLLD.t"
  2⤵
  PID:1692
- C:\Windows\system32\certutil.exe
  certutil -encode "ReadCopy.3gp" "ReadCopy.3gp.TROLLD.t"
  2⤵
  PID:1560
- C:\Windows\system32\certutil.exe
  certutil -encode "RequestBlock.js" "RequestBlock.js.TROLLD.t"
  2⤵
  PID:1664
- C:\Windows\system32\certutil.exe
  certutil -encode "SendCompare.vstx" "SendCompare.vstx.TROLLD.t"
  2⤵
  PID:1416
- C:\Windows\system32\certutil.exe
  certutil -encode "SetStart.mp3" "SetStart.mp3.TROLLD.t"
  2⤵
  PID:1264
- C:\Windows\system32\certutil.exe
  certutil -encode "StepDisconnect.rm" "StepDisconnect.rm.TROLLD.t"
  2⤵
  PID:1192
- C:\Windows\system32\certutil.exe
  certutil -encode "StepPush.wpl" "StepPush.wpl.TROLLD.t"
  2⤵
  PID:988
- C:\Windows\system32\certutil.exe
  certutil -encode "StopWrite.jpg" "StopWrite.jpg.TROLLD.t"
  2⤵
  PID:1704
- C:\Windows\system32\certutil.exe
  certutil -encode "SyncRestart.zip" "SyncRestart.zip.TROLLD.t"
  2⤵
  PID:656
- C:\Windows\system32\certutil.exe
  certutil -encode "UnblockRegister.docm" "UnblockRegister.docm.TROLLD.t"
  2⤵
  PID:1132
- C:\Windows\system32\certutil.exe
  certutil -encode "UndoUnprotect.csv" "UndoUnprotect.csv.TROLLD.t"
  2⤵
  PID:292
- C:\Windows\system32\certutil.exe
  certutil -encode "WatchDebug.crw" "WatchDebug.crw.TROLLD.t"
  2⤵
  PID:680
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b /a-d
  2⤵
  PID:1792
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b /a-d
  2⤵
  PID:1256
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b /a-d
  2⤵
  PID:1748
- C:\Windows\system32\certutil.exe
  certutil -encode "desktop.ini" "desktop.ini.TROLLD.t"
  2⤵
  PID:1648
- C:\Windows\system32\certutil.exe
  certutil -encode "DisableUnregister.svg" "DisableUnregister.svg.TROLLD.t"
  2⤵
  PID:1656
- C:\Windows\system32\certutil.exe
  certutil -encode "EditRevoke.jpeg" "EditRevoke.jpeg.TROLLD.t"
  2⤵
  PID:1696
- C:\Windows\system32\certutil.exe
  certutil -encode "ExitFind.tif" "ExitFind.tif.TROLLD.t"
  2⤵
  - Modifies extensions of user files
  PID:1384
- C:\Windows\system32\certutil.exe
  certutil -encode "HideAdd.png" "HideAdd.png.TROLLD.t"
  2⤵
  - Modifies extensions of user files
  PID:1796
- C:\Windows\system32\certutil.exe
  certutil -encode "JoinResolve.png" "JoinResolve.png.TROLLD.t"
  2⤵
  - Modifies extensions of user files
  PID:1000
- C:\Windows\system32\certutil.exe
  certutil -encode "MeasureRepair.gif" "MeasureRepair.gif.TROLLD.t"
  2⤵
  PID:1800
- C:\Windows\system32\certutil.exe
  certutil -encode "MergeUndo.svg" "MergeUndo.svg.TROLLD.t"
  2⤵
  PID:316
- C:\Windows\system32\certutil.exe
  certutil -encode "My Wallpaper.jpg" "My Wallpaper.jpg.TROLLD.t"
  2⤵
  PID:920
- C:\Windows\system32\certutil.exe
  certutil -encode "OpenUnprotect.pcx" "OpenUnprotect.pcx.TROLLD.t"
  2⤵
  PID:1360
- C:\Windows\system32\certutil.exe
  certutil -encode "OutStep.gif" "OutStep.gif.TROLLD.t"
  2⤵
  PID:1372
- C:\Windows\system32\certutil.exe
  certutil -encode "PushImport.dib" "PushImport.dib.TROLLD.t"
  2⤵
  PID:1236
- C:\Windows\system32\certutil.exe
  certutil -encode "ResolveCompare.svg" "ResolveCompare.svg.TROLLD.t"
  2⤵
  PID:1964
- C:\Windows\system32\certutil.exe
  certutil -encode "RevokeInvoke.svg" "RevokeInvoke.svg.TROLLD.t"
  2⤵
  PID:1812
- C:\Windows\system32\certutil.exe
  certutil -encode "SearchClose.tiff" "SearchClose.tiff.TROLLD.t"
  2⤵
  - Modifies extensions of user files
  PID:1332
- C:\Windows\system32\certutil.exe
  certutil -encode "ShowExpand.tiff" "ShowExpand.tiff.TROLLD.t"
  2⤵
  - Modifies extensions of user files
  PID:1808
- C:\Windows\system32\certutil.exe
  certutil -encode "SplitStop.cr2" "SplitStop.cr2.TROLLD.t"
  2⤵
  PID:1936
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b /a-d
  2⤵
  PID:1676
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b /a-d
  2⤵
  PID:1780
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b /a-d
  2⤵
  PID:1612
- C:\Windows\system32\certutil.exe
  certutil -encode "desktop.ini" "desktop.ini.TROLLD.t"
  2⤵
  PID:1488
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b /a-d
  2⤵
  PID:1300
- C:\Windows\system32\certutil.exe
  certutil -encode "desktop.ini" "desktop.ini.TROLLD.t"
  2⤵
  PID:960
- C:\Windows\system32\certutil.exe
  certutil -encode "Everywhere.search-ms" "Everywhere.search-ms.TROLLD.t"
  2⤵
  PID:1180
- C:\Windows\system32\certutil.exe
  certutil -encode "Indexed Locations.search-ms" "Indexed Locations.search-ms.TROLLD.t"
  2⤵
  PID:1348
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b /a-d
  2⤵
  PID:1740
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b /a-d
  2⤵
  PID:776
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b /a-d
  2⤵
  PID:1080
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b /a-d
  2⤵
  PID:808
- C:\Windows\system32\certutil.exe
  certutil -encode "desktop.ini" "desktop.ini.TROLLD.t"
  2⤵
  PID:940
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b /a-d
  2⤵
  PID:1976
- C:\Windows\system32\certutil.exe
  certutil -encode "IconCache.db" "IconCache.db.TROLLD.t"
  2⤵
  PID:324
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b /a-d
  2⤵
  PID:868
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b /a-d
  2⤵
  PID:904
- C:\Windows\system32\certutil.exe
  certutil -encode "ClearResume.mpa" "ClearResume.mpa.TROLLD.t"
  2⤵
  PID:1944
- C:\Windows\system32\certutil.exe
  certutil -encode "ConfirmLimit.pptm" "ConfirmLimit.pptm.TROLLD.t"
  2⤵
  PID:1864
- C:\Windows\system32\certutil.exe
  certutil -encode "DisableCopy.AAC" "DisableCopy.AAC.TROLLD.t"
  2⤵
  PID:1576
- C:\Windows\system32\certutil.exe
  certutil -encode "DisconnectTest.wdp" "DisconnectTest.wdp.TROLLD.t"
  2⤵
  PID:1912
- C:\Windows\system32\certutil.exe
  certutil -encode "GroupDisconnect.png" "GroupDisconnect.png.TROLLD.t"
  2⤵
  PID:1552
- C:\Windows\system32\certutil.exe
  certutil -encode "InstallConvert.3gp" "InstallConvert.3gp.TROLLD.t"
  2⤵
  PID:1012
- C:\Windows\system32\certutil.exe
  certutil -encode "LockSplit.AAC" "LockSplit.AAC.TROLLD.t"
  2⤵
  PID:1860
- C:\Windows\system32\certutil.exe
  certutil -encode "MeasureTest.svg" "MeasureTest.svg.TROLLD.t"
  2⤵
  PID:1116
- C:\Windows\system32\certutil.exe
  certutil -encode "MountLock.xml" "MountLock.xml.TROLLD.t"
  2⤵
  PID:1540
- C:\Windows\system32\certutil.exe
  certutil -encode "RenameEnable.au" "RenameEnable.au.TROLLD.t"
  2⤵
  PID:2008
- C:\Windows\system32\certutil.exe
  certutil -encode "ResetWait.cab" "ResetWait.cab.TROLLD.t"
  2⤵
  PID:864
- C:\Windows\system32\certutil.exe
  certutil -encode "SetMeasure.shtml" "SetMeasure.shtml.TROLLD.t"
  2⤵
  PID:268
- C:\Windows\system32\certutil.exe
  certutil -encode "SplitSync.m1v" "SplitSync.m1v.TROLLD.t"
  2⤵
  PID:1536
- C:\Windows\system32\certutil.exe
  certutil -encode "StopStep.potx" "StopStep.potx.TROLLD.t"
  2⤵
  PID:1132
- C:\Windows\system32\certutil.exe
  certutil -encode "SuspendFormat.vdw" "SuspendFormat.vdw.TROLLD.t"
  2⤵
  PID:964
- C:\Windows\system32\certutil.exe
  certutil -encode "SwitchSync.gif" "SwitchSync.gif.TROLLD.t"
  2⤵
  PID:1388
- C:\Windows\system32\certutil.exe
  certutil -encode "TraceEnter.dotx" "TraceEnter.dotx.TROLLD.t"
  2⤵
  PID:1792
- C:\Windows\system32\certutil.exe
  certutil -encode "TraceUndo.php" "TraceUndo.php.TROLLD.t"
  2⤵
  PID:1684
- C:\Windows\system32\certutil.exe
  certutil -encode "UnprotectUninstall.3g2" "UnprotectUninstall.3g2.TROLLD.t"
  2⤵
  PID:1352
- C:\Windows\system32\certutil.exe
  certutil -encode "UnpublishRestart.i64" "UnpublishRestart.i64.TROLLD.t"
  2⤵
  PID:2000
- C:\Windows\system32\certutil.exe
  certutil -encode "WriteSelect.cab" "WriteSelect.cab.TROLLD.t"
  2⤵
  PID:1672
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b /a-d
  2⤵
  PID:892
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b /a-d
  2⤵
  PID:1848
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b /a-d
  2⤵
  PID:1796
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b /a-d
  2⤵
  PID:620
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b /a-d
  2⤵
  PID:532
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b /a-d
  2⤵
  PID:1800
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b /a-d
  2⤵
  PID:1144
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b /a-d
  2⤵
  PID:1980
- C:\Windows\system32\certutil.exe
  certutil -encode "a512a634-3f58-43bd-af60-23c25bb88704.tmp" "a512a634-3f58-43bd-af60-23c25bb88704.tmp.TROLLD.t"
  2⤵
  PID:920
- C:\Windows\system32\certutil.exe
  certutil -encode "a9177185-0292-4863-8247-21d8508effaa.tmp" "a9177185-0292-4863-8247-21d8508effaa.tmp.TROLLD.t"
  2⤵
  PID:1360
- C:\Windows\system32\certutil.exe
  certutil -encode "Admin.bmp" "Admin.bmp.TROLLD.t"
  2⤵
  PID:1372
- C:\Windows\system32\certutil.exe
  certutil -encode "ASPNETSetup_00000.log" "ASPNETSetup_00000.log.TROLLD.t"
  2⤵
  PID:1236
- C:\Windows\system32\certutil.exe
  certutil -encode "ASPNETSetup_00001.log" "ASPNETSetup_00001.log.TROLLD.t"
  2⤵
  PID:1964
- C:\Windows\system32\certutil.exe
  certutil -encode "chrome_installer.log" "chrome_installer.log.TROLLD.t"
  2⤵
  PID:1812
- C:\Windows\system32\certutil.exe
  certutil -encode "dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt" "dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt.TROLLD.t"
  2⤵
  PID:1332
- C:\Windows\system32\certutil.exe
  certutil -encode "dd_SetupUtility.txt" "dd_SetupUtility.txt.TROLLD.t"
  2⤵
  PID:1808
- C:\Windows\system32\certutil.exe
  certutil -encode "dd_vcredistMSI25DC.txt" "dd_vcredistMSI25DC.txt.TROLLD.t"
  2⤵
  PID:1936
- C:\Windows\system32\certutil.exe
  certutil -encode "dd_vcredistMSI2644.txt" "dd_vcredistMSI2644.txt.TROLLD.t"
  2⤵
  PID:1136
- C:\Windows\system32\certutil.exe
  certutil -encode "dd_vcredistUI25DC.txt" "dd_vcredistUI25DC.txt.TROLLD.t"
  2⤵
  PID:544
- C:\Windows\system32\certutil.exe
  certutil -encode "dd_vcredistUI2644.txt" "dd_vcredistUI2644.txt.TROLLD.t"
  2⤵
  PID:936
- C:\Windows\system32\certutil.exe
  certutil -encode "dd_wcf_CA_smci_20230220_232458_770.txt" "dd_wcf_CA_smci_20230220_232458_770.txt.TROLLD.t"
  2⤵
  PID:912
- C:\Windows\system32\certutil.exe
  certutil -encode "dd_wcf_CA_smci_20230220_232500_064.txt" "dd_wcf_CA_smci_20230220_232500_064.txt.TROLLD.t"
  2⤵
  PID:1312
- C:\Windows\system32\certutil.exe
  certutil -encode "FXSAPIDebugLogFile.txt" "FXSAPIDebugLogFile.txt.TROLLD.t"
  2⤵
  PID:1768
- C:\Windows\system32\certutil.exe
  certutil -encode "JavaDeployReg.log" "JavaDeployReg.log.TROLLD.t"
  2⤵
  PID:1688
- C:\Windows\system32\certutil.exe
  certutil -encode "java_install.log" "java_install.log.TROLLD.t"
  2⤵
  PID:428
- C:\Windows\system32\certutil.exe
  certutil -encode "java_install_reg.log" "java_install_reg.log.TROLLD.t"
  2⤵
  PID:776
- C:\Windows\system32\certutil.exe
  certutil -encode "jawshtml.html" "jawshtml.html.TROLLD.t"
  2⤵
  PID:608
- C:\Windows\system32\certutil.exe
  certutil -encode "jusched.log" "jusched.log.TROLLD.t"
  2⤵
  PID:1404
- C:\Windows\system32\certutil.exe
  certutil -encode "KnoAEB8.tmp" "KnoAEB8.tmp.TROLLD.t"
  2⤵
  PID:1976
- C:\Windows\system32\certutil.exe
  certutil -encode "lpksetup-20230220-234044-0.log" "lpksetup-20230220-234044-0.log.TROLLD.t"
  2⤵
  PID:1932
- C:\Windows\system32\certutil.exe
  certutil -encode "lpksetup-20230220-234358-0.log" "lpksetup-20230220-234358-0.log.TROLLD.t"
  2⤵
  PID:868
- C:\Windows\system32\certutil.exe
  certutil -encode "lpksetup-20230220-234700-0.log" "lpksetup-20230220-234700-0.log.TROLLD.t"
  2⤵
  PID:1140
- C:\Windows\system32\certutil.exe
  certutil -encode "lpksetup-20230220-235016-0.log" "lpksetup-20230220-235016-0.log.TROLLD.t"
  2⤵
  PID:1604
- C:\Windows\system32\certutil.exe
  certutil -encode "lpksetup-20230220-235323-0.log" "lpksetup-20230220-235323-0.log.TROLLD.t"
  2⤵
  PID:1856
- C:\Windows\system32\certutil.exe
  certutil -encode "Microsoft .NET Framework 4.7.2 Setup_20230220_232430357-MSI_netfx_Full_x64.msi.txt" "Microsoft .NET Framework 4.7.2 Setup_20230220_232430357-MSI_netfx_Full_x64.msi.txt.TROLLD.t"
  2⤵
  PID:1568
- C:\Windows\system32\certutil.exe
  certutil -encode "Microsoft .NET Framework 4.7.2 Setup_20230220_232430357.html" "Microsoft .NET Framework 4.7.2 Setup_20230220_232430357.html.TROLLD.t"
  2⤵
  PID:340
- C:\Windows\system32\certutil.exe
  certutil -encode "ose00000.exe" "ose00000.exe.TROLLD.t"
  2⤵
  PID:2012
- C:\Windows\system32\certutil.exe
  certutil -encode "RDDD72.tmp" "RDDD72.tmp.TROLLD.t"
  2⤵
  PID:468
- C:\Windows\system32\certutil.exe
  certutil -encode "RGI7B0A.tmp" "RGI7B0A.tmp.TROLLD.t"
  2⤵
  PID:268
- C:\Windows\system32\certutil.exe
  certutil -encode "RGI7B0A.tmp-tmp" "RGI7B0A.tmp-tmp.TROLLD.t"
  2⤵
  PID:1536
- C:\Windows\system32\certutil.exe
  certutil -encode "SetupExe(20230220233241448).log" "SetupExe(20230220233241448).log.TROLLD.t"
  2⤵
  PID:1132
- C:\Windows\system32\certutil.exe
  certutil -encode "wmsetup.log" "wmsetup.log.TROLLD.t"
  2⤵
  PID:964
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b /a-d
  2⤵
  PID:1388
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b /a-d
  2⤵
  PID:2036
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b /a-d
  2⤵
  PID:1852
- C:\Windows\system32\certutil.exe
  certutil -encode "ACECache10.lst" "ACECache10.lst.TROLLD.t"
  2⤵
  PID:1684
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b /a-d
  2⤵
  PID:1352
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b /a-d
  2⤵
  PID:1656
- C:\Windows\system32\certutil.exe
  certutil -encode "AcroFnt09.lst" "AcroFnt09.lst.TROLLD.t"
  2⤵
  PID:848
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b /a-d
  2⤵
  PID:1384
- C:\Windows\system32\certutil.exe
  certutil -encode "wscRGB.icc" "wscRGB.icc.TROLLD.t"
  2⤵
  PID:928
- C:\Windows\system32\certutil.exe
  certutil -encode "wsRGB.icc" "wsRGB.icc.TROLLD.t"
  2⤵
  PID:1796
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b /a-d
  2⤵
  PID:1324
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b /a-d
  2⤵
  PID:1196
- C:\Windows\system32\certutil.exe
  certutil -encode "chrome_shutdown_ms.txt" "chrome_shutdown_ms.txt.TROLLD.t"
  2⤵
  PID:316
- C:\Windows\system32\certutil.exe
  certutil -encode "CrashpadMetrics-active.pma" "CrashpadMetrics-active.pma.TROLLD.t"
  2⤵
  PID:1980
- C:\Windows\system32\certutil.exe
  certutil -encode "First Run" "First Run.TROLLD.t"
  2⤵
  PID:920
- C:\Windows\system32\certutil.exe
  certutil -encode "Last Version" "Last Version.TROLLD.t"
  2⤵
  PID:752
- C:\Windows\system32\certutil.exe
  certutil -encode "Local State" "Local State.TROLLD.t"
  2⤵
  PID:1528
- C:\Windows\system32\certutil.exe
  certutil -encode "Variations" "Variations.TROLLD.t"
  2⤵
  PID:1968
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b /a-d
  2⤵
  PID:1952
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b /a-d
  2⤵
  PID:1964
- C:\Windows\system32\certutil.exe
  certutil -encode "BrowserMetrics-63F404CC-818.pma" "BrowserMetrics-63F404CC-818.pma.TROLLD.t"
  2⤵
  PID:1508
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b /a-d
  2⤵
  PID:564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b /a-d
  2⤵
  PID:1628
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b /a-d
  2⤵
  PID:1808
- C:\Windows\system32\certutil.exe
  certutil -encode "metadata" "metadata.TROLLD.t"
  2⤵
  PID:1708
- C:\Windows\system32\certutil.exe
  certutil -encode "settings.dat" "settings.dat.TROLLD.t"
  2⤵
  PID:1712
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b /a-d
  2⤵
  PID:1612
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b /a-d
  2⤵
  PID:544
- C:\Windows\system32\certutil.exe
  certutil -encode "Affiliation Database" "Affiliation Database.TROLLD.t"
  2⤵
  PID:1512
- C:\Windows\system32\certutil.exe
  certutil -encode "Affiliation Database-journal" "Affiliation Database-journal.TROLLD.t"
  2⤵
  PID:1300
- C:\Windows\system32\certutil.exe
  certutil -encode "Favicons" "Favicons.TROLLD.t"
  2⤵
  PID:540
- C:\Windows\system32\certutil.exe
  certutil -encode "Favicons-journal" "Favicons-journal.TROLLD.t"
  2⤵
  PID:1180
- C:\Windows\system32\certutil.exe
  certutil -encode "Google Profile.ico" "Google Profile.ico.TROLLD.t"
  2⤵
  PID:1348
- C:\Windows\system32\certutil.exe
  certutil -encode "heavy_ad_intervention_opt_out.db" "heavy_ad_intervention_opt_out.db.TROLLD.t"
  2⤵
  PID:1740
- C:\Windows\system32\certutil.exe
  certutil -encode "heavy_ad_intervention_opt_out.db-journal" "heavy_ad_intervention_opt_out.db-journal.TROLLD.t"
  2⤵
  PID:836
- C:\Windows\system32\certutil.exe
  certutil -encode "History" "History.TROLLD.t"
  2⤵
  PID:1080
- C:\Windows\system32\certutil.exe
  certutil -encode "History-journal" "History-journal.TROLLD.t"
  2⤵
  PID:608
- C:\Windows\system32\certutil.exe
  certutil -encode "Login Data" "Login Data.TROLLD.t"
  2⤵
  PID:940
- C:\Windows\system32\certutil.exe
  certutil -encode "Login Data For Account" "Login Data For Account.TROLLD.t"
  2⤵
  PID:1976
- C:\Windows\system32\certutil.exe
  certutil -encode "Login Data For Account-journal" "Login Data For Account-journal.TROLLD.t"
  2⤵
  PID:1932
- C:\Windows\system32\certutil.exe
  certutil -encode "Login Data-journal" "Login Data-journal.TROLLD.t"
  2⤵
  PID:844
- C:\Windows\system32\certutil.exe
  certutil -encode "Preferences" "Preferences.TROLLD.t"
  2⤵
  PID:1944
- C:\Windows\system32\certutil.exe
  certutil -encode "Secure Preferences" "Secure Preferences.TROLLD.t"
  2⤵
  PID:1864
- C:\Windows\system32\certutil.exe
  certutil -encode "Top Sites" "Top Sites.TROLLD.t"
  2⤵
  PID:1576
- C:\Windows\system32\certutil.exe
  certutil -encode "Top Sites-journal" "Top Sites-journal.TROLLD.t"
  2⤵
  PID:1416
- C:\Windows\system32\certutil.exe
  certutil -encode "Trusted Vault" "Trusted Vault.TROLLD.t"
  2⤵
  PID:1540
- C:\Windows\system32\certutil.exe
  certutil -encode "Visited Links" "Visited Links.TROLLD.t"
  2⤵
  PID:2008
- C:\Windows\system32\certutil.exe
  certutil -encode "Web Data" "Web Data.TROLLD.t"
  2⤵
  PID:864
- C:\Windows\system32\certutil.exe
  certutil -encode "Web Data-journal" "Web Data-journal.TROLLD.t"
  2⤵
  PID:1704
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b /a-d
  2⤵
  PID:656
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b /a-d
  2⤵
  PID:268
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b /a-d
  2⤵
  PID:1652
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b /a-d
  2⤵
  PID:292
- C:\Windows\system32\certutil.exe
  certutil -encode "data_0" "data_0.TROLLD.t"
  2⤵
  PID:1132
- C:\Windows\system32\certutil.exe
  certutil -encode "data_1" "data_1.TROLLD.t"
  2⤵
  PID:964
- C:\Windows\system32\certutil.exe
  certutil -encode "data_2" "data_2.TROLLD.t"
  2⤵
  PID:1792
- C:\Windows\system32\certutil.exe
  certutil -encode "data_3" "data_3.TROLLD.t"
  2⤵
  PID:1852
- C:\Windows\system32\certutil.exe
  certutil -encode "index" "index.TROLLD.t"
  2⤵
  PID:1684
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b /a-d
  2⤵
  PID:2000
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b /a-d
  2⤵
  PID:1672
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b /a-d
  2⤵
  PID:848
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b /a-d
  2⤵
  PID:1384
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b /a-d
  2⤵
  PID:1848
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b /a-d
  2⤵
  PID:620
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b /a-d
  2⤵
  PID:1796
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b /a-d
  2⤵
  PID:1324
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b /a-d
  2⤵
  PID:1196
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b /a-d
  2⤵
  PID:1144
- C:\Windows\system32\certutil.exe
  certutil -encode "data_0" "data_0.TROLLD.t"
  2⤵
  PID:1424
- C:\Windows\system32\certutil.exe
  certutil -encode "data_1" "data_1.TROLLD.t"
  2⤵
  PID:1272
- C:\Windows\system32\certutil.exe
  certutil -encode "data_2" "data_2.TROLLD.t"
  2⤵
  PID:1052
- C:\Windows\system32\certutil.exe
  certutil -encode "data_3" "data_3.TROLLD.t"
  2⤵
  PID:1304
- C:\Windows\system32\certutil.exe
  certutil -encode "index" "index.TROLLD.t"
  2⤵
  PID:1524
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b /a-d
  2⤵
  PID:1952
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b /a-d
  2⤵
  PID:1964
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b /a-d
  2⤵
  PID:1812
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b /a-d
  2⤵
  PID:1332
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b /a-d
  2⤵
  PID:1008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b /a-d
  2⤵
  PID:1676
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b /a-d
  2⤵
  PID:1936
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b /a-d
  2⤵
  PID:1136
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b /a-d
  2⤵
  PID:1712
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b /a-d
  2⤵
  PID:1612
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b /a-d
  2⤵
  PID:544
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b /a-d
  2⤵
  PID:936
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b /a-d
  2⤵
  PID:912
- C:\Windows\system32\certutil.exe
  certutil -encode "LOCK" "LOCK.TROLLD.t"
  2⤵
  PID:1312
- C:\Windows\system32\certutil.exe
  certutil -encode "LOG" "LOG.TROLLD.t"
  2⤵
  PID:540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b /a-d
  2⤵
  PID:1180
- C:\Windows\system32\certutil.exe
  certutil -encode "LOCK" "LOCK.TROLLD.t"
  2⤵
  PID:1448
- C:\Windows\system32\certutil.exe
  certutil -encode "LOG" "LOG.TROLLD.t"
  2⤵
  PID:428
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b /a-d
  2⤵
  PID:1740
- C:\Windows\system32\certutil.exe
  certutil -encode "data_0" "data_0.TROLLD.t"
  2⤵
  PID:836
- C:\Windows\system32\certutil.exe
  certutil -encode "data_1" "data_1.TROLLD.t"
  2⤵
  PID:1080
- C:\Windows\system32\certutil.exe
  certutil -encode "data_2" "data_2.TROLLD.t"
  2⤵
  PID:1084
- C:\Windows\system32\certutil.exe
  certutil -encode "data_3" "data_3.TROLLD.t"
  2⤵
  PID:324
- C:\Windows\system32\certutil.exe
  certutil -encode "index" "index.TROLLD.t"
  2⤵
  PID:904
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b /a-d
  2⤵
  PID:844
- C:\Windows\system32\certutil.exe
  certutil -encode "000003.log" "000003.log.TROLLD.t"
  2⤵
  PID:1924
- C:\Windows\system32\certutil.exe
  certutil -encode "CURRENT" "CURRENT.TROLLD.t"
  2⤵
  PID:1604
- C:\Windows\system32\certutil.exe
  certutil -encode "LOCK" "LOCK.TROLLD.t"
  2⤵
  PID:1576
- C:\Windows\system32\certutil.exe
  certutil -encode "LOG" "LOG.TROLLD.t"
  2⤵
  PID:1416
- C:\Windows\system32\certutil.exe
  certutil -encode "MANIFEST-000002" "MANIFEST-000002.TROLLD.t"
  2⤵
  PID:1540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b /a-d
  2⤵
  PID:2008
- C:\Windows\system32\certutil.exe
  certutil -encode "000003.log" "000003.log.TROLLD.t"
  2⤵
  PID:988
- C:\Windows\system32\certutil.exe
  certutil -encode "CURRENT" "CURRENT.TROLLD.t"
  2⤵
  PID:1704
- C:\Windows\system32\certutil.exe
  certutil -encode "LOCK" "LOCK.TROLLD.t"
  2⤵
  PID:916
- C:\Windows\system32\certutil.exe
  certutil -encode "LOG" "LOG.TROLLD.t"
  2⤵
  PID:1536
- C:\Windows\system32\certutil.exe
  certutil -encode "MANIFEST-000002" "MANIFEST-000002.TROLLD.t"
  2⤵
  PID:292
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b /a-d
  2⤵
  PID:1132
- C:\Windows\system32\certutil.exe
  certutil -encode "data_0" "data_0.TROLLD.t"
  2⤵
  PID:1256
- C:\Windows\system32\certutil.exe
  certutil -encode "data_1" "data_1.TROLLD.t"
  2⤵
  PID:2036
- C:\Windows\system32\certutil.exe
  certutil -encode "data_2" "data_2.TROLLD.t"
  2⤵
  PID:1648
- C:\Windows\system32\certutil.exe
  certutil -encode "data_3" "data_3.TROLLD.t"
  2⤵
  PID:1476
- C:\Windows\system32\certutil.exe
  certutil -encode "index" "index.TROLLD.t"
  2⤵
  PID:2000
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b /a-d
  2⤵
  PID:892
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b /a-d
  2⤵
  PID:1804
- C:\Windows\system32\certutil.exe
  certutil -encode "Cookies" "Cookies.TROLLD.t"
  2⤵
  PID:928
- C:\Windows\system32\certutil.exe
  certutil -encode "Cookies-journal" "Cookies-journal.TROLLD.t"
  2⤵
  PID:620
- C:\Windows\system32\certutil.exe
  certutil -encode "Network Persistent State" "Network Persistent State.TROLLD.t"
  2⤵
  PID:1796
- C:\Windows\system32\certutil.exe
  certutil -encode "NetworkDataMigrated" "NetworkDataMigrated.TROLLD.t"
  2⤵
  PID:792

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Contacts\Admin.contact.TROLLD.t

Filesize
91KB

MD5
03406213daa65d298361b90a4d075380

SHA1
8530fa6c96e93b3683fb04eb6d0ea08e64ff9075

SHA256
0da58fe097f022ac5e6613c1f88996ed408b22b3c217ba237188aeac1b922d1e

SHA512
a8e74fa8617ca8e5067176010499f37d8f43d081a64741a087f90827730ba3761cb6dd62ce2a249e2fffe23e48455d738c86d981a0b10e4475f005eefd652448

Download Submit
C:\Users\Admin\Contacts\desktop.ini.TROLLD.t

Filesize
626B

MD5
afe9b503e721360061fd8b9c48212175

SHA1
5faf402fc31babfdd0b7eff14d35ae7052b2217a

SHA256
46d914169d5c34f6e76c5b425b01ada39a7ff01231137576c6caa8151d0b9581

SHA512
0ff2770565e313ec8ed25d967d98650afb20a34652d8bc6b9147567f0e5bf07f903a4da8a93a5006497a5d61106553c9d5234632a27e9ba482e1441e9e7f49a0

Download Submit
C:\Users\Admin\Desktop\ApprovePublish.jpg.TROLLD.t

Filesize
498KB

MD5
4bca95dd1aa8ea9c95c53e26e602ca86

SHA1
845c28fb3d3cd3b763ff54bf5cef742167bc44a9

SHA256
7ae0bdf6a051c79db8ec7a002eb8ad11d11a02b579169f042743e0d186a15e84

SHA512
d15405a27d8c47a76bf94ed0994bdbf46c15b309667f68fd216a1111e8bd5d7eef0b87dcfd03188ced87d6c4401d386360f9f914acbee233963dd648e850a93e

Download Submit
C:\Users\Admin\Desktop\AssertSend.ADTS.TROLLD.t

Filesize
176KB

MD5
392bb40925e679ccfbab25cb779c9720

SHA1
00720f8bb5c4f101becdbd4b190c9f421659dc90

SHA256
ef242e5053881a8d870f8b9464af2bd908f1def4cacefd752cca1201ce6a77bf

SHA512
5bf35052f069900a7281732bf5eb61fc7841f9b4e131dcf7def04f3b28afb24db9595104457ebd5a79bfcca238ea1a9701f85c96d661d9fa0b1ad2faa1aec36e

Download Submit
C:\Users\Admin\Desktop\ClearHide.xml.TROLLD.t

Filesize
469KB

MD5
8660a5c1083f5414a8ec37cb29001c93

SHA1
3aaad698c0bcb008ba2b2c15bdd969ea92127682

SHA256
12915fd215e317a62442bca6fa557f5b1e636d3e2bf718c9380c4b62c0c5492b

SHA512
830f71630ef7a38436f11626af9c42f2413cc9a7d9918c9cdb3b7753f876608a2a9b33cd188abd831ee09859ada24ba63c81917c158dedbe98d5ee19bd63e94f

Download Submit
C:\Users\Admin\Desktop\GroupLimit.xml.TROLLD.t

Filesize
205KB

MD5
21a130911e777b054a5907da9800721d

SHA1
0bb9bdfe725b94f0b92d44ea1d01c7df9dfe8518

SHA256
447aa4d4699fb9307e45486c3b3cf61342d0a8cc432f6ee482643ac03a65eb7d

SHA512
8a9c7b369626249d9dcbbca2f8adcddc538c11fcb93645bc3a38882d9011cf5a404040bc03e11c82fe9b2527284754c39c37850421685b2a9f6e9a07ced7a956

Download Submit
C:\Users\Admin\Desktop\ImportProtect.vsd.TROLLD.t

Filesize
308KB

MD5
f6d80a7e8d58871836e36d8e8203680d

SHA1
212d1db9205e0df68a3d1effc7e52db3fc2cdfc9

SHA256
ac8723a9f06799d12460e3e26a35b25d687d4433754333c3ac17d11cc4e6ee4b

SHA512
d352150c99362b8bd96774f680838807a30fb2a31ce5038f36b2e6d0c8eeb105dc65b0522257113326669eff5f671f9157244a16ab2f0aa6c44bb93f5f3cf790

Download Submit
C:\Users\Admin\Desktop\InstallStop.wvx.TROLLD.t

Filesize
410KB

MD5
6047d03f09bdeb76ea96789c6c71beb4

SHA1
f3c963fd5d3e84d4ca26c4ad978084376d032f15

SHA256
19b9adc29daed5425116ecbbf291754f21b60022b99fb50f0f99b627fc2155ee

SHA512
f5add9b410839d23c3921bab46f3a8f948d9bf63eb0b749ea749fdc87ff3ce1fc4cc91bb1e6e828a3a0b9c7d17ccc45314c0a3591384083652e7223a751fb9aa

Download Submit
C:\Users\Admin\Desktop\PopStep.aif.TROLLD.t

Filesize
689KB

MD5
0f2fd953766a8bfc5ac80e081e355c4a

SHA1
f1d730503e59827cbb345669667a13fcc91c850b

SHA256
670ee4f4c74c54d33958c91b3caf9bda608cff922a85915248ae0135f31bc664

SHA512
360f9fab7af44541314916889613001f65d7ad68a10181058454ce18d3b90725659b942ad8d1b52e931f27d93ae2ec1326b069d5b2b095fa1a0e826e1bca3e61

Download Submit
C:\Users\Admin\Desktop\RegisterComplete.m1v.TROLLD.t

Filesize
381KB

MD5
790e68a94d42bdda1215703ec61f9a25

SHA1
56bb8190a7e3233a48aec655c2c6b76887ab23af

SHA256
3e05172057fc7e4dd8c67daed09a79eb3f96257a634b208069c0db6d36c58fe7

SHA512
9b7fc4c2e3f090dbec526d9eba425662bf2dd521e34db2e19a05ef6f6053a80acab8043a7fba75acc513f0bd581fca9a14e952e5cead6ae2078afb117bc16efd

Download Submit
C:\Users\Admin\Desktop\RequestConvertFrom.emf.TROLLD.t

Filesize
249KB

MD5
5288c4aeeaefd13c126ba55592d48980

SHA1
cccbdd7f5022f4d500bac068d596435427cb4212

SHA256
6a92bddfefc514093706aded932310c625e233d74ae7602f1650b636d835e9a2

SHA512
b20837b7fd75c06ee57c035d710490cd95c1af0fde965f2572dd35c6f0f49b642cabf8358018c6bfc4774bf0dbb380cb69e5a6ee838083264fdc3379dcd6d923

Download Submit
C:\Users\Admin\Desktop\ResumeDisconnect.cr2.TROLLD.t

Filesize
190KB

MD5
db66e8a5045c510781a638704866e5ab

SHA1
6387fabaf6e4864e3556ee0aec589a20d66cb905

SHA256
f25f6c01651f61136fd1e2eb3ffe8dfa056461f74d5ee6260f6c7a146f8eb961

SHA512
2489bfb0f66ae1cbd31565b134c4a4dee314f364b0e6bedb06ab58a647f984f11dfa4978913919e94d3eb2c102d3c8fbc98ec9d00f4d2411d39ec2161a269ff5

Download Submit
C:\Users\Admin\Desktop\SearchApprove.3gpp.TROLLD.t

Filesize
425KB

MD5
b3f27e60873afe69d61b72295b2a57d0

SHA1
2e7af82173ffac7e290a1644175b3850a90ff46a

SHA256
6ea0daa400972e77cac9368f102d7a4b1e2bbc79abe427e1585dc7b77b6e09f0

SHA512
b2e8c4c32b900773db9cf4aabe20ddacffc3edc46dc1a6b6b157c9cb7c29c1740f38a2688c1f98a4ad1848e0744e7d63cd79d4f1ec584cf055bd6064b229a0f8

Download Submit
C:\Users\Admin\Desktop\SetUnprotect.zip.TROLLD.t

Filesize
337KB

MD5
09ad9674dd04b6ff428d8a43e63ac922

SHA1
3b4f1a650a1b9d14251efc89b36838cbebfb0051

SHA256
eebfccc96fb16f9420577acfcf91b6e8a596af1b8903faa5d32952ac2bce8250

SHA512
7c5b3ea25d434001685c49d464ec93d2d685597cb5e67da4c1b61f1fb03c12479a94104ab6dcd1f32db5e721dda52dd48178cd370ddd12a60e89dbbe9b7895d5

Download Submit
C:\Users\Admin\Desktop\SetUnpublish.vstx.TROLLD.t

Filesize
234KB

MD5
b9c424bcfdece05ec9723203fdd50f08

SHA1
c5eeec86c1d6c9958cba9c63707530522adcc74c

SHA256
d9a12932e4ee1cf66a2728483a33f52876afb7b6342bdeac22b91fa7f46df746

SHA512
552f5223c73059c45cddbd8446539567fbffaee6c9c8b84503ddf01ab7ba573649622faa4bb32990fc8c61156f4a8f7fc71248e113d5c050883123918c5e5e00

Download Submit
C:\Users\Admin\Desktop\SplitGrant.ps1.TROLLD.t

Filesize
352KB

MD5
7d257ed4762d2d8b57ecc0979592860f

SHA1
396231dc232789d43c4dff22379dffc8cd03e15d

SHA256
908b4034b785ae7fd001456df58eaf10536201ec21ad4d91517b7e78e575adeb

SHA512
d5a8c46ac3259f8616a59d265426474b4e33e160ea49849e5c2d5efd8e28d36b9bd2fb677d27abd824f0a9c57f84a651d2922dee21475e68df534dd901170c62

Download Submit
C:\Users\Admin\Desktop\StepSplit.vb.TROLLD.t

Filesize
440KB

MD5
3e08e0e2ae784c7a73f5d85dae7a3bc6

SHA1
e6ba9033a662dc248dcbeda21c1983917fdc229e

SHA256
af596967f306e0a9abc44147036e4bcafc16072efd9fbb1e846f88b030de74c1

SHA512
a4d786a54751cfd192ade2098b018b0915ab3617358daad4b90663d5b25b92da455ad1a19562b63248cb6581970aa0009e885fbf4481488efdb78ccb40941886

Download Submit
C:\Users\Admin\Desktop\StopFind.jpg.TROLLD.t

Filesize
454KB

MD5
6ebbf8192260fe77e37a4409fb2a12ab

SHA1
2b50e1c214e750faa5639a9b266e0ec1496bdc5e

SHA256
1fdfafce6faf244fe24864cb264cd7f3e392689b1357164ff1c2f214a9eb3318

SHA512
74fa676e6794b567802fbc65c6a5f43b1227a98dbb15fc87f39c5f4ffc69fb9706612b40b64024dfa276e1552f3adb2c69a27774bc1e3ec64cb20534108c6878

Download Submit
C:\Users\Admin\Desktop\TestSplit.dxf.TROLLD.t

Filesize
293KB

MD5
5130926b8679f32f94e25f3613950686

SHA1
13cbcc2bf96ca5ffc1449553efff01e3969d2379

SHA256
232cab46ea0fd51a48c72f251d48728993fea45cf902dfb11d664b5c07ee204f

SHA512
6a6b2d8914a7c9d5c1df63fffde91f0d46032e1b58303b86d32009cd267fdbd23caee0646941aa1c9ea226a300c64407900b1230a1da9cd26e62f7602ef693c0

Download Submit
C:\Users\Admin\Desktop\TestWatch.zip.TROLLD.t

Filesize
278KB

MD5
05a701d666e4216a685dc204a4ebbbbe

SHA1
88c8ae033ffd52822c930e4ae5cc84a569fea68a

SHA256
6b2d65291ca9f946b3924f13e9af2be3a3e45947a78845078eac36feda281215

SHA512
3ccc346a0a0dde2bb8934f36d7443b6af7bc70413ef7a53687ad4d0888f4ec8b87b8ea2605299b90163c566930f16fe832330abef902dd397471e8ecf0c8f79a

Download Submit
C:\Users\Admin\Desktop\TraceRename.ogg.TROLLD.t

Filesize
264KB

MD5
bd35ff28450cfcd13afc5a408d461712

SHA1
52569237b11d2148b3a0c356c7a793223ddf9c5b

SHA256
5912b494ffe7067d816adb5b5ef4c50585e80accaaa27f85d08a34134945289b

SHA512
10d8ed8200f6bfcbed83f90ecfca01110dc658ad75b2dcd32d8d49f2d96b0674584e0769f8236cc1582b2bccb71924bbd0b04b7d3d80437db89e7c9c7c6c8437

Download Submit
C:\Users\Admin\Desktop\UninstallShow.3gp2.TROLLD.t

Filesize
366KB

MD5
f309a523c8b29b454eb8a7a4afc46f93

SHA1
894f5551174d9d73940043e606e109d0dc2ba3e4

SHA256
a8ff8653c6a26de7c9f1741447bde2036e7c2f521618595f4230c872eb01a15d

SHA512
63b20c268b8053129ec1a29d78a5be2103d3e5eca11c89244a43e494d70d920dc23ec4374fac947db1ab6480452ecfd903c020df4d7e8ab923047c4427e7acd8

Download Submit
C:\Users\Admin\Desktop\UnprotectShow.mp4.TROLLD.t

Filesize
322KB

MD5
7db3a6435a842f01e87b0bff2240fb96

SHA1
399da5069e8294b9b8537a44ea7d78b8b09704ce

SHA256
231163bcbe6d2173046ded0eb2ec912c6ad0dc5d6786a10053c4d34f18b162a9

SHA512
29b33904cf408cb9f21cb69bd03b8a03452fe88faf4e7f8ae5661cf35a7299d284fa179f30d9a9d6dd18bf36301b2da0a206674c4004ed2945e4037e8375e5bc

Download Submit
C:\Users\Admin\Desktop\UpdateStep.lnk.TROLLD.t

Filesize
484KB

MD5
a04f577cfc53101fa0830121fd3cf184

SHA1
49318f912172fa99bbd110cca7e27c4601ab7c90

SHA256
9e300208f35300a31f545dce48665d1370d68f85895fa6bf3acea83df8aca08e

SHA512
23da7d0f5da8b5d356e31a85034f3367586924476fe0f7577221d72c862e4f0426c5ea3d03fd136fcd30acc553a0644e0155c9d83b2fb3f753435ce492d6d119

Download Submit
C:\Users\Admin\Desktop\WriteRename.ADTS.TROLLD.t

Filesize
220KB

MD5
ab286e5552e33704062be53233e15439

SHA1
8606205c49b61c21ebeb4dc1f0463eafae278bb6

SHA256
be79efd723730a20524146d5fc15a12b3e8e9db289bc7fe56819cfd4520222dd

SHA512
4896bc39f0c59badbd17711ef7e6c232d1b2eb6c1d1f9a266899877f4620fc58ffa5ea6854d7326062aa92d4d2ba146b76d342a0e216cf7b072db1a7ac44a274

Download Submit
C:\Users\Admin\Desktop\compile.bat

Filesize
99B

MD5
3659364da74648bb15f0d88a3dd48d90

SHA1
d720891032f2d00f66b587fa45a84eabe3a1bb0b

SHA256
c41f99ac6144eccd2926e997e4c728c4459b85cd09d597100ec2946d74b0a357

SHA512
0cfd222250fc106f97e11091d7550d48884bc8be9022d64dddf404c6ddf874f1845d8e25eeda47653b774eb23274e04506f80704e694dab94e7d7039cbd3630e

Download Submit
C:\Users\Admin\Desktop\compile.bat.TROLLD.t

Filesize
194B

MD5
bd89aeaa1e53e89ecff5a8f28e954eec

SHA1
edb0b4b59357172a4c41ea3e9bcaf440cddbea21

SHA256
8f3f196c6c0d7314f7924a6dda5d5f3dd44ca302bb017eb97ea15c8b76cbe1ba

SHA512
3b69cc6780303140e81209e801d4e518652c7739a3a28c46aee5043459b9ca35e2b56a4779f5e45b03c96e74d5bc68314955857eaeab8c50416d6b183799e088

Download Submit
C:\Users\Admin\Desktop\desktop.ini.TROLLD.t

Filesize
444B

MD5
e8cec7a0ea074cc156c8533960bed43a

SHA1
6e9dced4cabb53e277a97e8333198cf7ef3330df

SHA256
338a44295bbe411c096fe17b9ba2b0ff705948f6dc49355eeb370120d4dad56b

SHA512
8b621191d41dfcb7fac6773b400ee0d0a0d93764c4bd2365c396287d55e1d0bfbce7d797fa615f0d426ea5d06d6f849cd7366f67b3b88b585ac7bc732a12876e

Download Submit
C:\Users\Admin\Desktop\encrypt.bat

Filesize
821B

MD5
707eff8c30451caf8ad54b2c4963f676

SHA1
ee75dc9ed84c4fb244bcf9cccc825dc73dcc68e9

SHA256
ee0372d5b968d9ddf609fdbb50043f3e78169e27ac75d231d3fc5c50d3b739ed

SHA512
498237949a6626ffcf004bef6426a628d196c40c1c0fa2e3c5f77a1282dbebda45e2a0174973af6a0981fcb396324e705deabcd0afa114e9c3f5db97e23b18b5

Download Submit
C:\Users\Admin\Desktop\encrypt.bat

Filesize
821B

MD5
2792a678219a24ebf42646b3ebb8138a

SHA1
848f70ce9270febf16e44ba51cc84e6d7a46e468

SHA256
1ac7dfd8410b0c13db259c898035f1585d92ab2ac2766256e9ea3de20c5f1af4

SHA512
a5d594228b9306dd26fce323014d02172257ccf465098d01417c5e9b04a63fb749c3f03f5adc69b148f9f411a88c4750d41fbb4de1c1268b1786f02780eb3e8d

Download Submit
C:\Users\Admin\Desktop\encrypt.bat.TROLLD.t

Filesize
1KB

MD5
af0d28a6e3295231e9f53150536a2b0c

SHA1
97e70594a7baec79afefa6b577cf00b4bc5d08a1

SHA256
dda131618f8ce220a0fd1896cbc8606e5245863fec6ebea7d670615f67e4abe5

SHA512
a63db19bde544313ede12aa51b960e77c94db5f71c7a9055ed48e28885b694dc863f37d0609b8558b9ef791db0d7157a350ff9c15d50856336a81f578d0c4949

Download Submit
C:\Users\Admin\Desktop\ranzomware.zip.TROLLD.t

Filesize
778B

MD5
7296a9d1825baa70b3de48de5ae44a5c

SHA1
eb1cfda749c9f902264b231eb0360031951128d1

SHA256
a4647a470361555c3dd4d8ea3d789d4e1322305e551f830252fb472b90b1b603

SHA512
49aaed909340dd76b56e2ddde125e1df9a6c36b4c68f3afc199fa7f5013845f7a9604f623a5ef18cec057227fe6afd7caac4335428841bc8af9653e89f4a953c

Download Submit
C:\Users\Admin\Documents\Are.docx.TROLLD.t

Filesize
15KB

MD5
2bc116de549706d63c529f56875aff01

SHA1
434daa7624a594c02623c01adddaae67703f0ea3

SHA256
67eff6f264fdb00a437af3992feaf2ced0d5deb93e660c43e29ce27c518e5357

SHA512
0e44cb11df2f6db85b63df38c5008eb60d10a67283d4d1b0e5faa9b8da2701ca195e463fe2788798d47502af3129ef4482467f27b0f95e0be141fd2ac2977668

Download Submit
C:\Users\Admin\Documents\AssertRename.xlsx.TROLLD.t

Filesize
494KB

MD5
d55e28e1324ba09220f902f6435aa7ee

SHA1
d15b38bc646eaea989e2d7416af586f423060412

SHA256
0223c92201b56ef4c73099394299e553c2c6bbb0d6c3a0499317cbbde00ea4f2

SHA512
1cca4f9c73c8c50e0124b65556d30efddc1272814a253efba4f97c67026279e55bf92f02b5ccfef36ad7f8bf61d273cc219df5ec02bb04daedacbf863f16f9ef

Download Submit
C:\Users\Admin\Documents\BackupOpen.xlsx.TROLLD.t

Filesize
665KB

MD5
6c617a197a9121ced83ab538ab819dcb

SHA1
5635afc09058e4aaf289152bbe5d2721c0053d96

SHA256
8d76d561679a8b0899da71b4583fc36bd90ce88adb5238bce3939090ecf001de

SHA512
6410c5b3283c324ac36c389de5f459cdf0fd1e5b531d6eed18157f959f079b5e39774610bbcc6644d0956fa0244b341b23cfa9aabee44f900e2c5df93ddaeb93

Download Submit
C:\Users\Admin\Documents\CompressDismount.docx.TROLLD.t

Filesize
511KB

MD5
bb8937d3adc3f6a2aa024f8215e17ae8

SHA1
b221daed1984aa9c7706fa47f615c2427bd1c3f6

SHA256
190b7b2c0d7c3f5c19e9a339a5a58419bc7b722ffba8d3afde795a0aed22b74f

SHA512
4ee1abd2a4ab1991e7bef2adc356f99b575ea489e8a6a00804ff1c9462ac74c1c31069e62e55515484912767f7f1d356b2f32a6ec2a7fd7212561022c0e1dff9

Download Submit
C:\Users\Admin\Documents\ConvertFromUnpublish.htm.TROLLD.t

Filesize
630KB

MD5
67765b40ec5a7a384c9555e47dea3f86

SHA1
83b728b581e7b9948fb8da444936171f63e5559e

SHA256
1a11566035b41ab9ec43084cee586065951fd2383d4f8c5f19db11dc09bdd6a9

SHA512
8d717dc4aa22d6d5e43d233db3c1812ffbd2ee155bd2dad24a11c1a96bd450eed1f852a068217919f762950e4c61ead5d431136b40091dc430834856a30926f9

Download Submit
C:\Users\Admin\Documents\CopySplit.potm.TROLLD.t

Filesize
596KB

MD5
e64ec4a1ed5320308b130c56882b626b

SHA1
067dee535976c753e72143b8fbc1c8d7bb3f5260

SHA256
ccb6bc6bf4d9e81ff0cc216574aefa87c1cdcce98f4132d371e96b018b4eac82

SHA512
68ac10127705ff3201d1c1a6b9385cbcea9af0be268f54269741c63911bbc91f3d19808d166b729aab825c32fba565c8bb446495159860a520b6335609d8b4d9

Download Submit
C:\Users\Admin\Documents\DebugRedo.xlsb.TROLLD.t

Filesize
306KB

MD5
007ec484872bc4798692bd8d4623f466

SHA1
1c082602f5111cd2f26c5f6ae48b52f706ce12e5

SHA256
4fedea818637dc46d9c4e800bdb8103facbc4e4fbbfb49bf08477508f76de1fb

SHA512
b05b935d3c8071afcaf51c6571da6bb0c217a91289472cc88c8a90c4beb2374b8ba05ac018a38c0047930bbbe052b251f5facd86081c63a4e0cb5d4fbaf4d340

Download Submit
C:\Users\Admin\Documents\DisableConvertFrom.xla.TROLLD.t

Filesize
460KB

MD5
35ac05c828c64b1fd10ec531ac4fe3ca

SHA1
5754841cd96fb8b403c513ade7b695be2a055f91

SHA256
9ddfaffd864e8594d0c7f0bc85329724c59ea5affea40f454b4ca372695b3739

SHA512
71d97ced9671d276ec9f3dd665eeae83082b80f9c3a6ac05c7921595ca3084b56b28d3c1921375a21f80d46d09901316a0fab31fd340bdb4782f8a14269830f6

Download Submit
C:\Users\Admin\Documents\DisconnectResume.pps.TROLLD.t

Filesize
324KB

MD5
6c7f081052aa450aa670d7922fc5b33e

SHA1
022fec1877e36e4cbbd7242c4032a9ac2dc5ad96

SHA256
3f95a894581feb2dcc1cfcd2f917681bf5209dcabf2149454fc8be014002feca

SHA512
3afad860647ade765bd894a10b0af8320b82b03eca6802272a3aedd078aba02f08e8b8b0a7358694e1ef14bca3e448b7b46d2fec04dc506db8c46c96bf5a055d

Download Submit
C:\Users\Admin\Documents\DisconnectWrite.ppsm.TROLLD.t

Filesize
358KB

MD5
d426479f9c2f8ebf8371c8c89789355f

SHA1
db8ca0180181299f8ca8c645ec54e92b506e6c36

SHA256
3f666f9c5b6b08fef3a8c28a2dd4a8cb77ce51473552e6e2da83bb03ad1adb2d

SHA512
3ce18991dd99d98ab4ed542fadd10bd539588d49778863f10f7ac0e36eaf0a1d51977a3e28f06dcba754079f975f616283d6785157f310f8e26cdbe5a117c5c2

Download Submit
C:\Users\Admin\Documents\Files.docx.TROLLD.t

Filesize
15KB

MD5
7831430c35a8a23f33c7216c2ee25e5e

SHA1
8532f46bd96d07a58101084536aca7e496d42b8d

SHA256
1169abdb740fcf0a64ec608868a7efc7d79ccf17e3a4614bff3cae4bdd783091

SHA512
020a23269f7687365715b22058aba3aab1083007a4cd0fa0308489309c6934131b3afd4d8da7faf4f07083e3ba332b932c24d18cdeffcdc57a23916fb9bcca22

Download Submit
C:\Users\Admin\Documents\GetGrant.vsd.TROLLD.t

Filesize
733KB

MD5
6b8a8af21e3bc3d1e0499b5ca189f2cc

SHA1
7ff5b22acecb72fcba3fe43a89c3b4081aad9c36

SHA256
df081f8f871ad4b98e3e2d78148fe71d8230785bf43e656f14accc426e440947

SHA512
74a8c3312c6c243135dea3ad031cb7d8873325ae771d6a885d50ae3eaf7d9a9430b60216441b83cd98c6fe2708d22e6215772bb6d695b614b1bff815a8926412

Download Submit
C:\Users\Admin\Documents\GroupConnect.vsdm.TROLLD.t

Filesize
545KB

MD5
0b2b576932a7fb49319f8d1311f7460d

SHA1
90c60cbf1e4030c73ce3d6b011ef78676f06c88f

SHA256
8843eab6220c3a4ece559ca227b9f5aa5e21934b08980c1671d6a6b2827776b9

SHA512
0532b3c7ce8d0be4ffdf6a3a9045ea814d0052fabd1d06506cc6ef1c817e27c6df03bc28f8de08691ba6d20e596e6296f088a92f48a83e0cfdd0b8e558e85df6

Download Submit
C:\Users\Admin\Documents\InvokeFormat.vsx.TROLLD.t

Filesize
682KB

MD5
ccf90b5ecc684f3f0dd02c4e1e7750fa

SHA1
0de4d693a7e5da9979f9327d29b00227b09d2e09

SHA256
8b1a937d64f88399ca575c72e129477c469933c8b44e5e5e58e52848f84d137b

SHA512
f92f8df3135a8ea62f7385846d21925481385dcdfcb61d8e34867fb53e57732aa56e029fd533bc131b4a03dce9b25487b4f2d6522e958e72b7e965c035ce3073

Download Submit
C:\Users\Admin\Documents\MoveGet.pptm.TROLLD.t

Filesize
341KB

MD5
ba8746e929f0337197752126dee4f74e

SHA1
7ea51069e9daeb5dcfc69f3fe47bd09c7534d0aa

SHA256
71c4a9a24203ee051218b28145c5865c4393ee95d6886ec847ae4afd43824d82

SHA512
2ddf84e7e694b1b04b7068fe032c8f7f18338be0445a1a1e58834d72d7a936ccbe036f58bbad0e5cd4844b68b1928e8534429a1240229a4c51e733b6dc492267

Download Submit
C:\Users\Admin\Documents\Opened.docx.TROLLD.t

Filesize
15KB

MD5
4b1de8b53816c8f3ef87f0c03d7076d1

SHA1
0a54a2b7c09068532553249b537531309278f209

SHA256
6862188a0b85728e0ea8e9e1d82a9d922f81b63519bbd489a811ea9faab8194b

SHA512
c1457aa48c941b0b922e7dfbef0158628ff493c0d1d22a37bbf9961fbc446de5efcd50f4e7b87666ad16c15caffcbea39bb25a16cd031a1a06597fb1f048b46e

Download Submit
C:\Users\Admin\Documents\OutFormat.vsd.TROLLD.t

Filesize
392KB

MD5
23dd5e4c9d65e11e96bee71f243fb855

SHA1
392e75b6dfb74266d849d4a40070ce83a6c8c202

SHA256
992bcea2fc78a143e4dd82ebf846625d9b19e2accde0ed966212593ec00998a0

SHA512
4ebc21f3dfe3f0a7e4f6a9c1dc7f30221c69eba787c4f28deddcb93ef712b38c1028be0289f8a398eefcd2d266deefb8ec427d1eb0173227a0499e83d1bb6a6c

Download Submit
C:\Users\Admin\Documents\PingApprove.xla.TROLLD.t

Filesize
562KB

MD5
fd6c7f80df654c00fa73f322c56f6084

SHA1
b5335bffd517a51984a53b34454ef5419a24bcdf

SHA256
f8fdb5d5411d127142c6af309caaeda41e2ab601b2cbdd6c211fe885a6207236

SHA512
ace2662199cdcd120195d0f15d5b5a5e3d84b67e63110b011f8ab8a2f4a54b15920e41d776650409b012fb7e47764e818f600f513f27d5b966c0158dd26778bb

Download Submit
C:\Users\Admin\Documents\PingCompress.vstm.TROLLD.t

Filesize
477KB

MD5
139404815a135d820bab76b7854bdd0d

SHA1
7ad93140888770acf4a964f33c2b15e3fbb1dc62

SHA256
871dfd15b14764a9b0d7c344819cf19dd6718787a9f6ddbd7d2ee64e198b00f2

SHA512
eea350e985fc73e3f89fb148aa4705ac8963d2a23f579ca87e6efe987da31f102761b9b2a4eba2a5ca83d71013b555a950b1886427197c409f0f92ad4f8a1cfa

Download Submit
C:\Users\Admin\Documents\PingImport.mht.TROLLD.t

Filesize
426KB

MD5
74e67e1bc6dcd94bf149fab2be809d27

SHA1
5d35aff11dc7857a82aa3d1546499796f256f555

SHA256
224595236a6ff5b0a5a8036e95b8c5d624a54ece0c33c4e2f91670b6523427e3

SHA512
e4ee1038e519c356955fbe7b7cd0d2ce4a0116688aa63daf85214dace2eb12f85e41926ae1453e30380b305aa60bbb144b4515783416b8a23445f59cc5821126

Download Submit
C:\Users\Admin\Documents\PopTrace.vst.TROLLD.t

Filesize
784KB

MD5
2943fe6d0138c55751bcd67ca8770194

SHA1
fa4cc7d6cf339cd22b65e846ae23d41987a90d68

SHA256
45c79b55221325c0d5459931902c426433d8f2b7b199b7ec7794b41b2dc27d1b

SHA512
04b31307941a190610aac7a4b2237884b2963844752f2297a54fcb242a78c322887ec3b35fdf9a2c3c3cc207fd7d18651259c3fea7cb23c6ab434193ccdf70f1

Download Submit
C:\Users\Admin\Documents\PushStep.dotx.TROLLD.t

Filesize
648KB

MD5
0024e926706956730fb28c25cd6c56df

SHA1
21a7be971eb61d729ac3a3391229a22f8c642ddb

SHA256
7291ed5db08c63e40f264dfa0117f9402a75cab3df74f9a44e8410bc4477f962

SHA512
55b893af08726261b2b7b4de4deef0dbbc2e8133514e845a189ca2017fc6ceee2599c78259e3ea6bdc2b417540017693d35e133ad384ae8ee20718853776e2e9

Download Submit
C:\Users\Admin\Documents\Recently.docx.TROLLD.t

Filesize
15KB

MD5
9ce2276d50112fb241e1f130c42a225b

SHA1
0ca5d34e2c25f056827dba4cb6707836109869e0

SHA256
1a0448f925470ffb1f1ffcd9b263b75365da09b1dd63f2f016902ff4c5eef32d

SHA512
0a3d8fdbeeb15534b81339d35dcb7e0fc679d510de5906d54a3f6b11f12f0dec10297a456910df329bc738a34b9543c20d084533529944cb086c6397dc982cb9

Download Submit
C:\Users\Admin\Documents\RemoveSkip.vsx.TROLLD.t

Filesize
716KB

MD5
f7cec662c6cf11cda3b05491afeb084b

SHA1
5392c1569778173ef3c3b604975dfab609821702

SHA256
f2b31231ef8e9472889627809ba3d7f5f937526e922ba766394e76224d92c95b

SHA512
0011c844a1dfb85da56f494c37324ae63747adf2236a4495adb96333ec3f1c0d39411e4fd473cfefad9788a97551a5f8a4cca4aeca8473a33a54190e8e105cd5

Download Submit
C:\Users\Admin\Documents\RequestConnect.xlsb.TROLLD.t

Filesize
289KB

MD5
b6c76cdde8adec0af77b2a1257815081

SHA1
64d25a6e8c3fb40e96556e7b4c955e751855e942

SHA256
56a80b0bdbf736c4d4a50a9f32be70a2b1c55905f617435f10f36662e1f5fce7

SHA512
3ef462f6711f26d1f8f6e66bd03137a5d930117d54f3163c432633ef9638fa7c326f51b0867653df41e8bdd12aa577ac46696adff122158b8edcab2a70d8e2bb

Download Submit
C:\Users\Admin\Documents\RestartMount.mpp.TROLLD.t

Filesize
613KB

MD5
a5d9edab696156b097e19e5eb012b710

SHA1
8c8833734ea7f475c479fed61dd1a757f5516d3e

SHA256
fe928205af2eea1099f1ece3ca92fcbbdf1d64e433509a4ab132466bc5ee62ff

SHA512
08e7b032760ac95484b462e53670cc2d2e00da13f7dc5c05c6a7d0e534c6255488277eaa3f1d0ef1542314984c0a72ed5b6595a9269e496e4e87463ca0f7fb8d

Download Submit
C:\Users\Admin\Documents\RestartRestore.wps.TROLLD.t

Filesize
375KB

MD5
c414737a3b6623b99e8070811e6ba8e3

SHA1
ccaea5f047377355f3c18b83d79b9e682195cdeb

SHA256
5ba2407da50f0665b2c42e2ff619696a24b500f63db6edd41becb37c8d41b435

SHA512
657e3d5d606d0e36ce5bc51f535188c0e10db1f2738dba67aea246c2549c1eb6377e2dca25706486d52fef0db4f23d91e84231ff8e38f8bd7d8a5f15544ed604

Download Submit
C:\Users\Admin\Documents\RestoreJoin.ppsm.TROLLD.t

Filesize
767KB

MD5
9cd057b4f373c1e9e9aecb40c80dc78f

SHA1
2edeb11cef3384cb647dc1c016c52c38e9293d50

SHA256
f8f6e0160972f7fcf6d23b560d32162a9af5b5e83e3b0db89b776d319e7cc012

SHA512
14185ad79885f139bde183538b5a605cc2dd5480cb3ee3d999fd426265eb8bd0b183824ae25e613a6eb0780e1f762b3fbf616d4738d6a62cf4b31986c31446c8

Download Submit
C:\Users\Admin\Documents\SaveDebug.xml.TROLLD.t

Filesize
528KB

MD5
5923727a3f50dc595a12462507376b23

SHA1
ad43fb8b547ba04a590474c1fccda6629fe4d4c4

SHA256
658ca3031830a0a079e17b150ce2f41664ab5a87d0c37385b07860efaadb8162

SHA512
b371edaaf2f27ce3b922e73454a772a792d6c3dfb57a896771199cb31247b52889616010fdcdee5cc0cbb3d04db17bdcbe806f8c7df05c9feecef22464255fd4

Download Submit
C:\Users\Admin\Documents\desktop.ini.TROLLD.t

Filesize
610B

MD5
6bac9e61111a928e406ec0ea3dd1497a

SHA1
349bb7483d9302b6e6a66d43622a7de94fbdbb31

SHA256
46325ec9786ffbe817b0d28b8969e55e05c483f4453ed2a91cf16c625af0df21

SHA512
7b60ccb214c7e6baa0065bb6406d1ec5272a56950d748083fcd5b82bd72e72ed0728add957584983a494953aa64404a016ab6219a8509bc8d80358edfd8c81ac

Download Submit
C:\Users\Admin\deployment.properties.TROLLD.t

Filesize
2KB

MD5
09be963270edc98e18abc182159b9198

SHA1
b575fab1be7de9b9307931151f6abb675cf86319

SHA256
9258611a6f7ae19dd29184ad943f3fa62e5463bb3f03d1f2a1a8f6557245c343

SHA512
808fd776e83a7d2334bbad55f6335eb40160060f940f93589dbda79a1b05ba03d42a4ed3bca31c7367a89dd4a96e4c7523e0fac1bb01ac8303f5c8428bdd1394

Download Submit
C:\Users\Admin\ntuser.ini.TROLLD.t

Filesize
86B

MD5
6ec5c5d06806d4ee8ff4c879cc4ce5a1

SHA1
ebaea8b9da21bcd0e5db4a18435e1b56f1c127aa

SHA256
aba41c4e2ce4c10f52d0618bdbc28e5dce1c6baf5f9f6698aaa3171cbdcf09c4

SHA512
f5816b5ae372e896af4aafa40cd25aacda0e477fc5bd6adf27a761e60edf2c53ed0f08bd4c17777fe87bbd1765dbc6ba29ddbb5f1dc9fde6ec92697f384a08db

Download Submit