Sample File: MD5 hash: 61e6fb6d1882411f588ae60cd2803ce4 SHA1 hash: 94e0a747af5edf70cd3db0224686f4fe2db2a8aa SHA256 hash: f664d5e8a47084388e3d0efabc38b5f04a759e382211846f722be6f7365df7fc Filename(s): pricaz _6_.js Filetype: JScript Mutex IOCs: Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-3643094112-4209292109-138530109-1001 Global\pc_group=WORKGROUP&ransom_id=37c4473eba2ee5af Registry Key IOCs: HKEY_CLASSES_ROOT\.JS HKEY_CLASSES_ROOT\JSFile\ScriptEngine HKEY_CURRENT_USER HKEY_CURRENT_USER\Control Panel\International HKEY_CURRENT_USER\Environment HKEY_CURRENT_USER\Keyboard Layout\Preload HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce HKEY_CURRENT_USER\Software\Microsoft\Command Processor HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\E. Australia Standard Time HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\E. Australia Standard Time\Dynamic DST HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script\Features HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security\PowerShell HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters HKEY_LOCAL_MACHINE\Software\Microsoft\COM3 HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1 HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellSnapIns HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3 HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters IP IOCs: 213.164.242.16 85.105.167.110 89.238.207.5 109.239.19.225 89.75.148.59 94.190.179.160 91.139.147.93 90.177.80.171 188.254.187.254 109.121.206.4 31.41.44.99 94.103.82.89 185.198.57.157 URL IOCs: telemetry7win.at/merry.rar?SOiJ ipv4bot.whatismyipaddress.com/ 185.198.57.157/curl.php?token=1082 File IOCs: Filenames: C:\ C:\$Recycle.Bin\S-1-5-19\\GDCB-DECRYPT.txt C:\$Recycle.Bin\S-1-5-21-3643094112-4209292109-138530109-1001\\GDCB-DECRYPT.txt C:\$Recycle.Bin\\GDCB-DECRYPT.txt C:\Boot\BCD.LOG C:\Boot\BOOTSTAT.DAT C:\Boot\BOOTSTAT.DAT.GDCB C:\Boot\Fonts\\GDCB-DECRYPT.txt C:\Boot\Fonts\chs_boot.ttf C:\Boot\Fonts\cht_boot.ttf C:\Boot\Fonts\jpn_boot.ttf C:\Boot\Fonts\kor_boot.ttf C:\Boot\Fonts\malgun_boot.ttf C:\Boot\Fonts\malgunn_boot.ttf C:\Boot\Fonts\meiryo_boot.ttf C:\Boot\Fonts\meiryon_boot.ttf C:\Boot\Fonts\msjh_boot.ttf C:\Boot\Fonts\msjhn_boot.ttf C:\Boot\Fonts\msyh_boot.ttf C:\Boot\Fonts\msyhn_boot.ttf C:\Boot\Fonts\segmono_boot.ttf C:\Boot\Fonts\segoe_slboot.ttf C:\Boot\Fonts\segoen_slboot.ttf C:\Boot\Fonts\wgl4_boot.ttf C:\Boot\Resources\\GDCB-DECRYPT.txt C:\Boot\Resources\en-US\\GDCB-DECRYPT.txt C:\Boot\Resources\en-US\bootres.dll.mui C:\Boot\\GDCB-DECRYPT.txt C:\Boot\bg-BG\\GDCB-DECRYPT.txt C:\Boot\bg-BG\bootmgr.exe.mui C:\Boot\cs-CZ\\GDCB-DECRYPT.txt C:\Boot\cs-CZ\bootmgr.exe.mui C:\Boot\cs-CZ\memtest.exe.mui C:\Boot\da-DK\\GDCB-DECRYPT.txt C:\Boot\da-DK\bootmgr.exe.mui C:\Boot\da-DK\memtest.exe.mui C:\Boot\de-DE\\GDCB-DECRYPT.txt C:\Boot\de-DE\bootmgr.exe.mui C:\Boot\de-DE\memtest.exe.mui C:\Boot\el-GR\\GDCB-DECRYPT.txt C:\Boot\el-GR\bootmgr.exe.mui C:\Boot\el-GR\memtest.exe.mui C:\Boot\en-GB\\GDCB-DECRYPT.txt C:\Boot\en-GB\bootmgr.exe.mui C:\Boot\en-US\\GDCB-DECRYPT.txt C:\Boot\en-US\bootmgr.exe.mui C:\Boot\en-US\memtest.exe.mui C:\Boot\es-ES\\GDCB-DECRYPT.txt C:\Boot\es-ES\bootmgr.exe.mui C:\Boot\es-ES\memtest.exe.mui C:\Boot\et-EE\\GDCB-DECRYPT.txt C:\Boot\et-EE\bootmgr.exe.mui C:\Boot\fi-FI\\GDCB-DECRYPT.txt C:\Boot\fi-FI\bootmgr.exe.mui C:\Boot\fi-FI\memtest.exe.mui C:\Boot\fr-FR\\GDCB-DECRYPT.txt C:\Boot\fr-FR\bootmgr.exe.mui C:\Boot\fr-FR\memtest.exe.mui C:\Boot\hr-HR\\GDCB-DECRYPT.txt C:\Boot\hr-HR\bootmgr.exe.mui C:\Boot\hu-HU\\GDCB-DECRYPT.txt C:\Boot\hu-HU\bootmgr.exe.mui C:\Boot\hu-HU\memtest.exe.mui C:\Boot\it-IT\\GDCB-DECRYPT.txt C:\Boot\it-IT\bootmgr.exe.mui C:\Boot\it-IT\memtest.exe.mui C:\Boot\ja-JP\\GDCB-DECRYPT.txt C:\Boot\ja-JP\bootmgr.exe.mui C:\Boot\ja-JP\memtest.exe.mui C:\Boot\ko-KR\\GDCB-DECRYPT.txt C:\Boot\ko-KR\bootmgr.exe.mui C:\Boot\ko-KR\memtest.exe.mui C:\Boot\lt-LT\\GDCB-DECRYPT.txt C:\Boot\lt-LT\bootmgr.exe.mui C:\Boot\lv-LV\\GDCB-DECRYPT.txt C:\Boot\lv-LV\bootmgr.exe.mui C:\Boot\nb-NO\\GDCB-DECRYPT.txt C:\Boot\nb-NO\bootmgr.exe.mui C:\Boot\nb-NO\memtest.exe.mui C:\Boot\nl-NL\\GDCB-DECRYPT.txt C:\Boot\nl-NL\bootmgr.exe.mui C:\Boot\nl-NL\memtest.exe.mui C:\Boot\pl-PL\\GDCB-DECRYPT.txt C:\Boot\pl-PL\bootmgr.exe.mui C:\Boot\pl-PL\memtest.exe.mui C:\Boot\pt-BR\\GDCB-DECRYPT.txt C:\Boot\pt-BR\bootmgr.exe.mui C:\Boot\pt-BR\memtest.exe.mui C:\Boot\pt-PT\\GDCB-DECRYPT.txt C:\Boot\pt-PT\bootmgr.exe.mui C:\Boot\pt-PT\memtest.exe.mui C:\Boot\qps-ploc\\GDCB-DECRYPT.txt C:\Boot\qps-ploc\bootmgr.exe.mui C:\Boot\qps-ploc\memtest.exe.mui C:\Boot\ro-RO\\GDCB-DECRYPT.txt C:\Boot\ro-RO\bootmgr.exe.mui C:\Boot\ru-RU\\GDCB-DECRYPT.txt C:\Boot\ru-RU\bootmgr.exe.mui C:\Boot\ru-RU\memtest.exe.mui C:\Boot\sk-SK\\GDCB-DECRYPT.txt C:\Boot\sk-SK\bootmgr.exe.mui C:\Boot\sl-SI\\GDCB-DECRYPT.txt C:\Boot\sl-SI\bootmgr.exe.mui C:\Boot\sr-Latn-CS\\GDCB-DECRYPT.txt C:\Boot\sr-Latn-CS\bootmgr.exe.mui C:\Boot\sr-Latn-RS\\GDCB-DECRYPT.txt C:\Boot\sr-Latn-RS\bootmgr.exe.mui C:\Boot\sv-SE\\GDCB-DECRYPT.txt C:\Boot\sv-SE\bootmgr.exe.mui C:\Boot\sv-SE\memtest.exe.mui C:\Boot\tr-TR\\GDCB-DECRYPT.txt C:\Boot\tr-TR\bootmgr.exe.mui C:\Boot\tr-TR\memtest.exe.mui C:\Boot\uk-UA\\GDCB-DECRYPT.txt C:\Boot\uk-UA\bootmgr.exe.mui C:\Boot\zh-CN\\GDCB-DECRYPT.txt C:\Boot\zh-CN\bootmgr.exe.mui C:\Boot\zh-CN\memtest.exe.mui C:\Boot\zh-HK\\GDCB-DECRYPT.txt C:\Boot\zh-HK\bootmgr.exe.mui C:\Boot\zh-HK\memtest.exe.mui C:\Boot\zh-TW\\GDCB-DECRYPT.txt C:\Boot\zh-TW\bootmgr.exe.mui C:\Program Files\WindowsPowerShell\Modules C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Commands.Management\Microsoft.PowerShell.Commands.Management.dll C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Commands.Utility\Microsoft.PowerShell.Commands.Utility.dll C:\Program Files\WindowsPowerShell\Modules\Modules.cdxml C:\Program Files\WindowsPowerShell\Modules\Modules.dll C:\Program Files\WindowsPowerShell\Modules\Modules.psd1 C:\Program Files\WindowsPowerShell\Modules\Modules.psm1 C:\Program Files\WindowsPowerShell\Modules\Modules.xaml C:\Users\5JGHKO~1\Desktop\PRICAZ~1.JS C:\Users\5JgHKoaOfdp C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\ C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_037cac7f-3205-4f41-87ab-36285b680510 C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_188860f4-0679-4fd0-b484-187a5f17529b C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_27a6b737-e0ba-4068-91dd-df8565735034 C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_3186b7f4-e38a-40a6-af89-228fb596d0a1 C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_3d8ab723-44d5-4795-947e-d5b7229dfa98 C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_3e67daab-35d0-4e80-9b43-df246309b2d1 C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_475e4689-74ef-43e7-90fe-d79deb0624b6 C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_49e7e553-4311-4abe-b1f1-75195838f0f3 C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_50d1a972-c2bc-4be3-857a-6ad57bf37250 C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_5713a0d6-d10b-4b74-9a40-4d532ad03618 C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_59d5724e-f87a-4ca0-8538-a1aa0afd1b15 C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_600154a2-5b63-48f9-943c-f8e123360163 C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_64f9e75e-6fc7-41b7-be7a-7c9fe8ff921f C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_66f2ad77-2ad3-4044-a136-48e7ec5af0c1 C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_70ef2992-2518-42eb-ad6f-f6d2b834087e C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_720292a3-508e-47f8-8133-7dbca19a17fa C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_882fc4e8-005d-47a8-b798-e37046e181df C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_a0f47a5b-3971-44a5-bd40-01241883a431 C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_a3dea8a0-8c87-4f9b-9a1c-300ad32616da C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_b38f6763-c723-40d8-b8de-c06c46071305 C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_c8b9e900-0989-431a-88c5-32335c6c413f C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_dbee20bc-62c7-4e43-88cf-26896b7d00e5 C:\Users\5JgHKoaOfdp\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex C:\Users\5JgHKoaOfdp\AppData\RoamingeOX20.exe C:\Users\5JgHKoaOfdp\Documents\WindowsPowerShell\Modules C:\Windows C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll C:\Windows\System32\Wbem C:\Windows\System32\WindowsPowerShell\v1.0\ C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml C:\Windows\System32\WindowsPowerShell\v1.0\HelpV3.format.ps1xml C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe.config C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml C:\Windows\System32\WindowsPowerShell\v1.0\typesv3.ps1xml C:\Windows\system32 C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ C:\Windows\system32\WindowsPowerShell\v1.0\Modules\.psd1 C:\Windows\system32\WindowsPowerShell\v1.0\Modules\AssignedAccess\AssignedAccess.psm1 C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psm1 C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitsTransfer\BitsTransfer.psd1 C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BranchCache\BranchCache.psd1 C:\Windows\system32\WindowsPowerShell\v1.0\Modules\CimCmdlets\CimCmdlets.psd1 C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender\Defender.psd1 C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DirectAccessClientComponents\DirectAccessClientComponents.psd1 C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Dism\Dism.Format.ps1xml C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Dism\Dism.Types.ps1xml C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Dism\Dism.psd1 C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Dism\Dism.psm1 C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Dism\Microsoft.Dism.PowerShell.dll C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Dism\en-US\Dism.psd1 C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Dism\en\Dism.psd1 C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DnsClient\DnsClient.psd1 C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ISE\ISE.psd1 C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ISE\ISE.psm1 C:\Windows\system32\WindowsPowerShell\v1.0\Modules\International\International.psd1 C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Kds\Kds.psd1 C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Commands.Management\Microsoft.PowerShell.Commands.Management.dll C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Commands.Utility\Microsoft.PowerShell.Commands.Utility.dll C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Diagnostics\Microsoft.PowerShell.Diagnostics.psd1 C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Host\Microsoft.PowerShell.Host.psd1 C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Management\Microsoft.PowerShell.Management.psd1 C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Security\Microsoft.PowerShell.Security.psd1 C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetAdapter\NetAdapter.psd1 C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetConnection\NetConnection.psd1 C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetEventPacketCapture\NetEventPacketCapture.psd1 C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetLbfo\NetLbfo.psd1 C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetNat\NetNat.psd1 C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetQos\NetQos.psd1 C:\Windows\system32\WindowsPowerShell\v1.0\Modules\iSCSI\iSCSI.psd1 C:\\GDCB-DECRYPT.txt C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Commands.Utility.dll C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Commands.Utility.dll\Microsoft.PowerShell.Commands.Utility.dll C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1 C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1 C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\en-US\Microsoft.PowerShell.Utility.psd1 C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Utility\en\Microsoft.PowerShell.Utility.psd1 CONOUT$ c:\windows\system32\windowspowershell\v1.0\Modules\AppBackgroundTask\AppBackgroundTask.psd1 c:\windows\system32\windowspowershell\v1.0\Modules\AppLocker\AppLocker.psd1 c:\windows\system32\windowspowershell\v1.0\Modules\Appx\Appx.psd1 c:\windows\system32\windowspowershell\v1.0\Modules\AssignedAccess\AssignedAccess.psd1 c:\windows\system32\windowspowershell\v1.0\Modules\BitLocker\BitLocker.psd1 c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.WSMan.Management\Microsoft.WSMan.Management.psd1 powershell.exe MD5 hashes: 61837361532f862e30ffee38c44eda46 a15e3bf31a9614ef17d3c33e54536e17 b045619c51603937bff8f832fb125339 e6cf22b643516b1cbc1454324c2aa5cb e8e6e1b9670f015ff4e0a55a47615496 SHA1 hashes: 186d1c742c97a503765a44c8ba7236d6561e1228 22726d8300f1511353749f6fb1ac1daa05a3c915 2c8ddc87345e1c52173d9ed19161adbf60efe125 9f64bbffa5f580d8056edf6bcfebedcace913943 c0092de53a8bed8dc8ee0cfaea61b1b6f3f2124a SHA256 hashes: 2af233b36d2216fae1abf43ad7726d871355236517fdbf49367fdb599b168b85 2ba0ac4628e063acc987add7b3107068c6bb8d8bcc2b722132880bd6ba2de898 4e21cb59a18a4be27cf9879fdcc40411cd9ec5bc8b4340101d4eed2a3ff82c49 a4382db195164b328ba5d86c2fec6e5505cc7e769a564a466193382813c85f12 eadfa2893129bb8a4142c54e6c5be229fa24e7f4cb6e3396a368f420cc98630f