Joe Sandbox Cloud Basic

Want to search on specific fields?


Try our:

Advanced Search

Want to search in depth on all Cloud Basic reports?

Try: Joe Sandbox View

Register Login
sloganpng
top title background image
flash

DHLForm.ppt

Status: finished
Submission Time: 2021-09-15 15:26:15 +02:00
Malicious
Exploiter
Evader
Trojan
AgentTesla

Comments

Tags

  • Powershell
  • ppt
  • PS-3losh-rat
  • Rat

Details

  • Analysis ID:
    483878
  • API (Web) ID:
    851446
  • Analysis Started:
    2021-09-15 15:34:22 +02:00
  • Analysis Finished:
    2021-09-15 16:08:18 +02:00
  • MD5:
    5a5ff1cffdb0ea343fd5ab32c6eeb740
  • SHA1:
    e372c4f53febe5c4d74a01eb6985e80a31d52e25
  • SHA256:
    9e4134fbb243efdb6d965eec21d98b4ad702e7fca13b5f1af47d30e3b0019585
  • Technologies:

Joe Sandbox

Engine Download Report Detection Info
Full Report Management Report IOC Report
malicious
Score: 80
System: Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Full Report Management Report IOC Report
malicious
Score: 100
System: Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run Condition: Potential for more IOCs and behavior

Third Party Analysis Engines

Open Full Report
malicious
Score: 13/59
malicious
Score: 10/45

IPs

IP Country Detection
172.217.168.13
 United States
142.250.186.35
 United States
172.217.168.36
 United States
Click to see the 5 hidden entries
104.192.141.1
 United States
216.58.215.225
 United States
216.58.215.233
 United States
142.250.203.110
 United States
67.199.248.15
 United States

Domains

Name IP Detection
gstaticadssl.l.google.com
 142.250.186.35
bitbucket.org
 104.192.141.1
accounts.google.com
 172.217.168.13
Click to see the 12 hidden entries
www-google-analytics.l.google.com
 142.250.203.110
bitly.com
 67.199.248.15
blogspot.l.googleusercontent.com
 216.58.215.225
www.google.com
 172.217.168.36
blogger.l.google.com
 216.58.215.233
ghostbackbone123.blogspot.com
 0.0.0.0
startthepartyup.blogspot.com
 0.0.0.0
backbones1234511a.blogspot.com
 0.0.0.0
randikhanaekminar.blogspot.com
 0.0.0.0
johonathahogyaabagebarhomeintum.blogspot.com
 0.0.0.0
www.blogger.com
 0.0.0.0
resources.blogblog.com
 0.0.0.0

URLs

Name Detection
https://www.blogger.com/static/v1/widgets/1667664774-css_bundle_v2.css
https://startthepartyup.blogspot.com/g
https://backbones1234511a.blogspot.com/O
Click to see the 97 hidden entries
https://ghostbackbone123.blogspot.com/js/cookienotice.js3r
https://www.blogger.com/img/share_buttons_20_3.png/
https://startthepartyup.blogspot.com/R
https://contacts.google.com/?hl=en-GB&tab=jC
https://www.google.com/css/maia.cssQQC:
https://www.blogger.com/static/v1/widgets/4164007864-widgets.jsa
https://csp.withgoogle.com/csp/blogger-tech
https://backbones1234511a.blogspot.com/p/ayoolaback.html%22x
https://docs.google.com/presentation/?usp=slides_alc7vD
https://backbones1234511a.blogspot.com/p/ayoolaback.html%22w
https://www.blogger.com/img/blogger-logotype-color-black-1x.pngs
https://resources.blogblog.com/img/triangle_ltr.gifcr
https://www.blogger.com/dyn-css/authorization.css?targetBlogID=7680886694920034828&zx=ad70dca0-0e6f-
https://www.blogger.com/static/v1/widgets/4164007864-widgets.js680886694920034828&zx=ad70dca0-0e6f-4
https://backbones1234511a.blogspot.com/p/ayoolaback.html%2522&type=blogy
https://www.blogger.com/blogin.g?blogspotURL%3Dhttps://johonathahogyaabagebarhomeintum.blogspot.com/
https://www.blogger.com/static/v1/widgets/4164007864-widgets.jsU
https://www.blogger.com/blogger.g&ec=GAZAHg
https://www.google.%/ads/ga-audiences2
https://pki.goog/repository/0
https://startthepartyup.blogspot.com/p/backbone16.html%2522&type=blog
https://backbones1234511a.blogspot.com/p/ayoolaback.html%22bw_
https://www.blogger.com/go/contentpolicyPz
https://www.blogger.com/static/v1/jsbin/403901366-ieretrofit.jsss
http://backbones1234511a.blogspot.com/p/ayoolaback.html%22
https://www.blogger.com/share-post.g?blogID=8965474558532949541&pageID=3337584593152806955&target=em
https://startthepartyup.blogspot.com//p/backbone16.html%22
https://www.blogger.com/static/v1/jsbin/3101730221-analytics_autotrack.js0
https://ghostbackbone123.blogspot.com/js/cookienotice.jslogID=1690726786805467605&zx=1fe0aef2-8b4f-4
https://www.blogger.com/static/v1/v-css/281434096-static_pages.cssC:
https://twitter.com/intent/tweet?text=
https://accounts.google.com/ServiceLogin?continue=https://www.blogger.com/blogin.g?blogspotURL%3Dhtt
https://www.google.co.uk/intl/en-GB/about/products?tab=jhw6D
https://backbones1234511a.blogspot.com/p/ayoolaback.html%22
https://ghostbackbone123.blogspot.com/p/ghostbackup15.html%22714
https://www.blogger.com/rpc_relay.html
https://www.blogger.com/blogger.gh
https://startthepartyup.blogspot.com/feeds/posts/defaultp
https://startthepartyup.blogspot.com/feeds/posts/defaultq
https://resources.blogblog.com/0
https://www.blogger.com/dyn-css/authorization.css?targetBlogID=1690726786805467605&zx=1fe0aef2-8b4f-4693-89a0-5b335e695da7
https://ghostbackbone123.blogspot.com/p/ghostbackup15.html%22/res
http://crl.pki.goog/gsr2/gsr2.crl0?
https://tagassistant.google.com/E
https://www.blogger.com/img/share_buttons_20_3.png9
https://startthepartyup.blogspot.com/h
https://www.blogger.comisAlternateRenderinglightboxModuleUrlrtdisableGCommentsateShare
https://ampcid.google.com/v1/publisher:getClientId
https://resources.blogblog.com/img/widgets/s_top.png
https://stadia.google.com/?Q
https://resources.blogblog.com/i
https://www.google.com/css/maia.css
https://www.blogger.com/go/helpcenterW
https://www.blogger.com/blogin.g?blogspotURL=https://backbones1234511a.blogspot.com/p/ayoolaback.htm
https://johonathahogyaabagebarhomeintum.blogspot.com/feeds/posts/defaultays%2C%20mualollfl%0A%27Task
https://bitly.com/yuiwqhdsavbdjaghMar
https://www.blogger.com/feeds/4778963473423104316/posts/default
https://www.google.com/support/accounts/bin/answer.py?hl
https://resources.blogblog.com/blogblog/data/1kt/simple/body_gradient_tile_light.png)
https://docs.google.com/document/?usp=docs_alcSyH
https://www.blogger.com/blogin.g?blogspotURL%3Dhttps://ghostbackbone123.blogspot.com/p/ghostbackup15
https://accounts.google.com/ServiceLogin?continue=https://www.blogger.com/blogin.g?blogspotURL%3Dhttps://johonathahogyaabagebarhomeintum.blogspot.com/p/ayoolaayoola.html%26type%3Dblog%26bpli%3D1&followup=https://www.blogger.com/blogin.g?blogspotURL%3Dhttps://johonathahogyaabagebarhomeintum.blogspot.com/p/ayoolaayoola.html%26type%3Dblog%26bpli%3D1&passive=true&go=true
https://www.google.co.uk/saveL
https://backbones1234511a.blogspot.com/p/ayoolaback.html%22o?
https://apis.googl
https://www.blogger.com/blogin.g?blogspotURL=https://backbones1234511a.blogspot.com/p/ayoolaback.html%2522&type=blog
https://ghostbackbone123.blogspot.com/se
https://www.blogger.com/static/v1/jsbin/403901366-ieretrofit.jsOSZZl
https://myaccount.google.com/?utm_source=OGB&tab=jk&utm_medium=app
https://www.blogger.com/go/privacy
https://www.blogger.com
https://backbones1234511a.blogspot.com/p/ayoolaback.html%2522&type=blogP
https://resources.blogblog.com/blogblog/data/1kt/simple/body_gradient_tile_light.pngK
http://randikhanaekminar.blogspot.com/p/ayoola.html
https://www.google.co.uk/intl/en-GB/about/products?tab=jhhe
https://www.blogger.com/img/blogger-logotype-color-black-1x.png~wy
https://www.blogger.com/img/blogger-logotype-color-black-1x.pngc~
https://ghostbackbone123.blogspot.com/feeds/posts/defaultX
https://ads.google.com/home/?subid=ww-ww-et-g-aw-a-vasquette_ads_cons_1
https://stadia.google.com/
https://meet.google.com/?hs=197Mw
https://www.blogger.com/img/share_buttons_20_3.pngmple/gradients_light.pngight.pngGradientType=0blog
https://www.blogger.com/static/v1/widgets/4164007864-widgets.js2
https://www.blogger.com/static/v1/widgets/4164007864-widgets.js0
https://www.blogger.com/static/v1/widgets/4164007864-widgets.js1
https://www.blogger.com/go/helpcenter4X
https://www.google.com/support/accounts/bin/answer.py?hl=en&answer=151657
https://www.blogger.com/static/v1/jsbin/3101730221-analytics_autotrack.jsC:
https://bitbucket.org
https://www.blogger.com/go/devapiz
https://www.blogger.com/static/v1/widgets/4164007864-widgets.js/
https://www.blogger.com/go/helpcenterh
https://www.blogger.com/content.g&
https://ghostbackbone123.blogspot.com/search
https://resources.blogblog.com/b
https://www.blogger.com/img/blogger-logotype-color-black-1x.pngC:
https://backbones1234511a.blogspot.com/p/ayoolaback.html%2522&type=blogc

Dropped files

Name File Type Hashes Detection
C:\Users\user\Desktop\~$DHLForm.ppt
 data
 #
C:\Users\user\AppData\Local\Temp\dtsgyyde\dtsgyyde.0.cs
 C++ source, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
 #
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\DHLForm.ppt.LNK
 MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Sep 30 14:03:45 2020, mtime=Wed Sep 15 21:50:26 2021, atime=Wed Sep 15 21:50:06 2021, length=83456, window=hide
 #
Click to see the 97 hidden entries
C:\Users\user\AppData\Local\Temp\uz5edm2y\uz5edm2y.0.cs
 C++ source, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
 #
C:\Users\user\AppData\Local\Temp\lmts0v03\lmts0v03.cmdline
 UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
 #
C:\Users\user\AppData\Local\Temp\RES797A.tmp
 data
 #
C:\Users\user\AppData\Local\Temp\a0uccovc\a0uccovc.0.cs
 C++ source, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
 #
C:\Users\user\AppData\Local\Temp\a0uccovc\CSCCC0B7B204924196A28CF024B8788083.TMP
 MSVC .res
 #
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sxaqbzcb.ynk.psm1
 very short file (no magic)
 #
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ja0cqkkh.20u.psm1
 very short file (no magic)
 #
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_idn0qbc4.rvw.ps1
 very short file (no magic)
 #
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gxuccqjn.nsx.ps1
 very short file (no magic)
 #
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bcbx0wqh.kwh.psm1
 very short file (no magic)
 #
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5mvqwry1.chd.ps1
 very short file (no magic)
 #
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2kvm3p0y.qld.ps1
 very short file (no magic)
 #
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1hytk1gx.3rm.psm1
 very short file (no magic)
 #
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd
 data
 #
C:\Users\user\AppData\Local\Temp\a0uccovc\a0uccovc.out
 ASCII text, with CRLF, CR line terminators
 #
C:\Users\user\AppData\Local\Temp\RES63A1.tmp
 data
 #
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
 data
 #
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
 data
 #
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\yuiwqhdsavbdjagh[1].htm
 HTML document, ASCII text
 #
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\warning[1]
 GIF image data, version 89a, 36 x 38
 #
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\share_buttons_20_3[1].png
 PNG image data, 120 x 60, 8-bit/color RGBA, non-interlaced
 #
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\gradients_light[1].png
 PNG image data, 20 x 1100, 8-bit/color RGBA, non-interlaced
 #
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\error[2]
 HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
 #
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\error[1]
 HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
 #
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\cookienotice[2].js
 ASCII text
 #
C:\Users\user\AppData\Local\Temp\lmts0v03\lmts0v03.out
 ASCII text, with CRLF, CR line terminators
 #
C:\Users\user\Documents\20210915\PowerShell_transcript.813848.sfG6n45m.20210915155054.txt
 UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
 #
C:\Users\user\Documents\20210915\PowerShell_transcript.813848.gb1KMLRN.20210915155122.txt
 UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
 #
C:\Users\user\Documents\20210915\PowerShell_transcript.813848.B+5qUPvm.20210915155048.txt
 UTF-8 Unicode (with BOM) text, with CRLF line terminators
 #
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\VVV1ONIXQSS6F9SBSEW6.temp
 data
 #
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msy/ (copy)
 data
 #
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msS (copy)
 data
 #
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3G8FI1QOCY21WA8OKU7M.temp
 data
 #
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
 ASCII text, with CRLF line terminators
 #
C:\Users\user\AppData\Local\Temp\uz5edm2y\uz5edm2y.out
 UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
 #
C:\Users\user\AppData\Local\Temp\uz5edm2y\uz5edm2y.cmdline
 UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
 #
C:\Users\user\AppData\Local\Temp\a0uccovc\a0uccovc.cmdline
 UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
 #
C:\Users\user\AppData\Local\Temp\lmts0v03\lmts0v03.dll
 PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
 #
C:\Users\user\AppData\Local\Temp\lmts0v03\lmts0v03.0.cs
 C++ source, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
 #
C:\Users\user\AppData\Local\Temp\lmts0v03\CSCCA8985A0394D48BFA864CA75A5282D3A.TMP
 MSVC .res
 #
C:\Users\user\AppData\Local\Temp\kzmhhkkm\kzmhhkkm.out
 UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
 #
C:\Users\user\AppData\Local\Temp\kzmhhkkm\kzmhhkkm.cmdline
 UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
 #
C:\Users\user\AppData\Local\Temp\kzmhhkkm\kzmhhkkm.0.cs
 C++ source, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
 #
C:\Users\user\AppData\Local\Temp\dtsgyyde\dtsgyyde.out
 UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
 #
C:\Users\user\AppData\Local\Temp\dtsgyyde\dtsgyyde.cmdline
 UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
 #
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\cookienotice[1].js
 ASCII text
 #
C:\Users\user\AppData\Local\Temp\a0uccovc\a0uccovc.dll
 PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
 #
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\error[3]
 HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
 #
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\cookienotice[2].js
 ASCII text
 #
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\cookienotice[1].js
 ASCII text
 #
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\blogin[2].htm
 HTML document, ASCII text, with very long lines
 #
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\blogin[1].htm
 HTML document, ASCII text, with very long lines
 #
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\ayoolaback[1].htm
 gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT)
 #
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\4164007864-widgets[1].js
 ASCII text, with very long lines
 #
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\1621653182-comment_from_post_iframe[1].js
 ASCII text, with very long lines
 #
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\warning[2]
 GIF image data, version 89a, 36 x 38
 #
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\warning[1]
 GIF image data, version 89a, 36 x 38
 #
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\maia[1].css
 UTF-8 Unicode text, with very long lines, with no line terminators
 #
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\icon18_edit_allbkg[1].gif
 GIF image data, version 89a, 18 x 18
 #
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\ghostbackup15[1].htm
 gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT)
 #
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\css[1].css
 ASCII text
 #
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\error[2]
 HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
 #
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\error[1]
 UTF-8 Unicode (with BOM) text, with CRLF line terminators
 #
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\css[1].css
 ASCII text
 #
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\blogin[5].htm
 HTML document, ASCII text, with very long lines
 #
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\blogin[4].htm
 HTML document, ASCII text, with very long lines
 #
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\blogin[3].htm
 HTML document, ASCII text, with very long lines
 #
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\blogin[2].htm
 HTML document, ASCII text, with very long lines
 #
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\blogin[1].htm
 HTML document, ASCII text, with very long lines
 #
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\ayoolaback[1].htm
 gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT)
 #
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\ayoolaayoola[1].htm
 HTML document, ASCII text, with very long lines
 #
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\analytics[1].js
 ASCII text, with very long lines
 #
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\blogin[3].htm
 HTML document, ASCII text, with very long lines
 #
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\blogin[1].htm
 HTML document, ASCII text, with very long lines
 #
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\ayoola[1].htm
 HTML document, ASCII text, with very long lines
 #
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\KFOmCnqEu92Fr1Mu4mxO[1].eot
 Embedded OpenType (EOT), Roboto family
 #
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\403901366-ieretrofit[1].js
 ASCII text, with very long lines
 #
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\281434096-static_pages[1].css
 ASCII text, with very long lines
 #
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\warning[1]
 GIF image data, version 89a, 36 x 38
 #
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\ghostbackup15[1].htm
 gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT)
 #
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\error[1]
 HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
 #
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\cookienotice[1].js
 ASCII text
 #
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\body_gradient_tile_light[1].png
 PNG image data, 10 x 10, 1-bit colormap, non-interlaced
 #
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\blogin[5].htm
 HTML document, ASCII text, with very long lines
 #
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\blogin[4].htm
 HTML document, ASCII text, with very long lines
 #
C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\AC5AD669-56E7-460E-948A-F065066565C4
 XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
 #
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\blogin[2].htm
 HTML document, ASCII text, with very long lines
 #
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\blogin[1].htm
 HTML document, ASCII text, with very long lines
 #
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\blogger-logotype-color-black-1x[1].png
 PNG image data, 112 x 27, 8-bit colormap, non-interlaced
 #
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\ayoola[1].htm
 gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT)
 #
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\3101730221-analytics_autotrack[1].js
 ASCII text, with very long lines
 #
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\1667664774-css_bundle_v2[1].css
 ASCII text, with very long lines
 #
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\warning[2]
 GIF image data, version 89a, 36 x 38
 #
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\warning[1]
 GIF image data, version 89a, 36 x 38
 #
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\mem5YaGs126MiZpBA-UN_r8OUuht[1].eot
 Embedded OpenType (EOT), Open Sans Light family
 #
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\error[2]
 HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
 #
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\error[1]
 UTF-8 Unicode (with BOM) text, with CRLF line terminators
 #