01fd9dd202ab86a6082014a9d006c4ca8167b34d8fe933464d23c69c290be8e6

Analysis

max time kernel
329s
max time network
383s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
01/11/2023, 18:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Canva-x64.appx
Size

132.2MB
MD5

2f36c9a6d2b879134439ed8cef634efc
SHA1

57b82781820bb17682475bccd83e761e8e53303e
SHA256

01fd9dd202ab86a6082014a9d006c4ca8167b34d8fe933464d23c69c290be8e6
SHA512

b5378a399d2493135017052bf7c938a5737c82bfb9b2d9d0995c23c9ac171ca2cad6e4343decf5e78c933b8ae78b7535dbb7223de912c9e1abb65bac56ee831c
SSDEEP

3145728:+z7nTOuDWfYseuqIJ+F89UARaZSe9kEcYAoshVkmQdvDX/efStWKv+Wclktb:C6YmRe8m8S19k4Aos0vDAStWBWrb

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
73	4816	powershell.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\Canva.Canva_1.74.1.1_x64__n2m7swxggd232\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Program Files\WindowsApps\Canva.Canva_1.74.1.1_x64__n2m7swxggd232\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Program Files\WindowsApps\Canva.Canva_1.74.1.1_x64__n2m7swxggd232\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	Canva.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	Canva.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	Canva.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Canva.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Canva.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Canva.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	Canva.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\Registry\User\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\canva	Canva.exe
Key created	\Registry\User\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\canva\shell\open\command	Canva.exe
Key created	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
2772	powershell.exe
2772	powershell.exe
2772	powershell.exe
2952	Powershell.exe
2952	Powershell.exe
2952	Powershell.exe
4816	powershell.exe
4816	powershell.exe
4816	powershell.exe
2388	Canva.exe
2388	Canva.exe
644	msedge.exe
644	msedge.exe
5964	msedge.exe
5964	msedge.exe
2436	identity_helper.exe
2436	identity_helper.exe
5652	powershell.exe
5652	powershell.exe
5652	powershell.exe
2652	powershell.exe
2652	powershell.exe
2652	powershell.exe
1580	powershell.exe
1580	powershell.exe
1580	powershell.exe
2384	Canva.exe
2384	Canva.exe
5804	msedge.exe
5804	msedge.exe
5804	msedge.exe
5804	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2772	powershell.exe
Token: SeDebugPrivilege	2952	Powershell.exe
Token: SeDebugPrivilege	4816	powershell.exe
Token: SeShutdownPrivilege	4580	Canva.exe
Token: SeCreatePagefilePrivilege	4580	Canva.exe
Token: SeShutdownPrivilege	4580	Canva.exe
Token: SeCreatePagefilePrivilege	4580	Canva.exe
Token: SeShutdownPrivilege	4580	Canva.exe
Token: SeCreatePagefilePrivilege	4580	Canva.exe
Token: SeShutdownPrivilege	4580	Canva.exe
Token: SeCreatePagefilePrivilege	4580	Canva.exe
Token: SeShutdownPrivilege	4580	Canva.exe
Token: SeCreatePagefilePrivilege	4580	Canva.exe
Token: SeShutdownPrivilege	4580	Canva.exe
Token: SeCreatePagefilePrivilege	4580	Canva.exe
Token: SeShutdownPrivilege	4580	Canva.exe
Token: SeCreatePagefilePrivilege	4580	Canva.exe
Token: SeShutdownPrivilege	4580	Canva.exe
Token: SeCreatePagefilePrivilege	4580	Canva.exe
Token: SeShutdownPrivilege	4580	Canva.exe
Token: SeCreatePagefilePrivilege	4580	Canva.exe
Token: SeShutdownPrivilege	4580	Canva.exe
Token: SeCreatePagefilePrivilege	4580	Canva.exe
Token: SeShutdownPrivilege	4580	Canva.exe
Token: SeCreatePagefilePrivilege	4580	Canva.exe
Token: SeShutdownPrivilege	4580	Canva.exe
Token: SeCreatePagefilePrivilege	4580	Canva.exe
Token: SeShutdownPrivilege	4580	Canva.exe
Token: SeCreatePagefilePrivilege	4580	Canva.exe
Token: SeShutdownPrivilege	4580	Canva.exe
Token: SeCreatePagefilePrivilege	4580	Canva.exe
Token: SeShutdownPrivilege	4580	Canva.exe
Token: SeCreatePagefilePrivilege	4580	Canva.exe
Token: SeShutdownPrivilege	4580	Canva.exe
Token: SeCreatePagefilePrivilege	4580	Canva.exe
Token: SeShutdownPrivilege	4580	Canva.exe
Token: SeCreatePagefilePrivilege	4580	Canva.exe
Token: SeShutdownPrivilege	4580	Canva.exe
Token: SeCreatePagefilePrivilege	4580	Canva.exe
Token: SeShutdownPrivilege	4580	Canva.exe
Token: SeCreatePagefilePrivilege	4580	Canva.exe
Token: SeShutdownPrivilege	4580	Canva.exe
Token: SeCreatePagefilePrivilege	4580	Canva.exe
Token: SeShutdownPrivilege	4580	Canva.exe
Token: SeCreatePagefilePrivilege	4580	Canva.exe
Token: SeShutdownPrivilege	4580	Canva.exe
Token: SeCreatePagefilePrivilege	4580	Canva.exe
Token: SeShutdownPrivilege	4580	Canva.exe
Token: SeCreatePagefilePrivilege	4580	Canva.exe
Token: SeShutdownPrivilege	4580	Canva.exe
Token: SeCreatePagefilePrivilege	4580	Canva.exe
Token: SeShutdownPrivilege	4580	Canva.exe
Token: SeCreatePagefilePrivilege	4580	Canva.exe
Token: SeShutdownPrivilege	4580	Canva.exe
Token: SeCreatePagefilePrivilege	4580	Canva.exe
Token: SeShutdownPrivilege	4580	Canva.exe
Token: SeCreatePagefilePrivilege	4580	Canva.exe
Token: SeShutdownPrivilege	4580	Canva.exe
Token: SeCreatePagefilePrivilege	4580	Canva.exe
Token: SeShutdownPrivilege	4580	Canva.exe
Token: SeCreatePagefilePrivilege	4580	Canva.exe
Token: SeShutdownPrivilege	4580	Canva.exe
Token: SeCreatePagefilePrivilege	4580	Canva.exe
Token: SeShutdownPrivilege	4580	Canva.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
4580	Canva.exe
4580	Canva.exe
4580	Canva.exe
4580	Canva.exe
4580	Canva.exe
4580	Canva.exe
4580	Canva.exe
4580	Canva.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
4580	Canva.exe
4580	Canva.exe
4580	Canva.exe
4580	Canva.exe
4580	Canva.exe
4580	Canva.exe
4580	Canva.exe
4580	Canva.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2400 wrote to memory of 4508	2400	AiStubX64.exe	96
PID 2400 wrote to memory of 4508	2400	AiStubX64.exe	96
PID 2400 wrote to memory of 2952	2400	AiStubX64.exe	97
PID 2400 wrote to memory of 2952	2400	AiStubX64.exe	97
PID 2400 wrote to memory of 2952	2400	AiStubX64.exe	97
PID 2952 wrote to memory of 4816	2952	Powershell.exe	99
PID 2952 wrote to memory of 4816	2952	Powershell.exe	99
PID 2952 wrote to memory of 4816	2952	Powershell.exe	99
PID 2400 wrote to memory of 4580	2400	AiStubX64.exe	100
PID 2400 wrote to memory of 4580	2400	AiStubX64.exe	100
PID 2400 wrote to memory of 4580	2400	AiStubX64.exe	100
PID 2400 wrote to memory of 4580	2400	AiStubX64.exe	100
PID 2400 wrote to memory of 4580	2400	AiStubX64.exe	100
PID 2400 wrote to memory of 4580	2400	AiStubX64.exe	100
PID 2400 wrote to memory of 4580	2400	AiStubX64.exe	100
PID 2400 wrote to memory of 4580	2400	AiStubX64.exe	100
PID 2400 wrote to memory of 4580	2400	AiStubX64.exe	100
PID 2400 wrote to memory of 4580	2400	AiStubX64.exe	100
PID 2400 wrote to memory of 4580	2400	AiStubX64.exe	100
PID 2400 wrote to memory of 4580	2400	AiStubX64.exe	100
PID 4580 wrote to memory of 1164	4580	Canva.exe	101
PID 4580 wrote to memory of 1164	4580	Canva.exe	101
PID 4580 wrote to memory of 1164	4580	Canva.exe	101
PID 4580 wrote to memory of 1164	4580	Canva.exe	101
PID 4580 wrote to memory of 1164	4580	Canva.exe	101
PID 4580 wrote to memory of 1164	4580	Canva.exe	101
PID 4580 wrote to memory of 1164	4580	Canva.exe	101
PID 4580 wrote to memory of 1164	4580	Canva.exe	101
PID 4580 wrote to memory of 1164	4580	Canva.exe	101
PID 4580 wrote to memory of 1164	4580	Canva.exe	101
PID 4580 wrote to memory of 1164	4580	Canva.exe	101
PID 4580 wrote to memory of 1164	4580	Canva.exe	101
PID 4580 wrote to memory of 1824	4580	Canva.exe	102
PID 4580 wrote to memory of 1824	4580	Canva.exe	102
PID 4580 wrote to memory of 1824	4580	Canva.exe	102
PID 4580 wrote to memory of 1824	4580	Canva.exe	102
PID 4580 wrote to memory of 1824	4580	Canva.exe	102
PID 4580 wrote to memory of 1824	4580	Canva.exe	102
PID 4580 wrote to memory of 1824	4580	Canva.exe	102
PID 4580 wrote to memory of 1824	4580	Canva.exe	102
PID 4580 wrote to memory of 1824	4580	Canva.exe	102
PID 4580 wrote to memory of 1824	4580	Canva.exe	102
PID 4580 wrote to memory of 1824	4580	Canva.exe	102
PID 4580 wrote to memory of 1824	4580	Canva.exe	102
PID 4580 wrote to memory of 1824	4580	Canva.exe	102
PID 4580 wrote to memory of 1824	4580	Canva.exe	102
PID 4580 wrote to memory of 1824	4580	Canva.exe	102
PID 4580 wrote to memory of 1824	4580	Canva.exe	102
PID 4580 wrote to memory of 1824	4580	Canva.exe	102
PID 4580 wrote to memory of 1824	4580	Canva.exe	102
PID 4580 wrote to memory of 1824	4580	Canva.exe	102
PID 4580 wrote to memory of 1824	4580	Canva.exe	102
PID 4580 wrote to memory of 1824	4580	Canva.exe	102
PID 4580 wrote to memory of 1824	4580	Canva.exe	102
PID 4580 wrote to memory of 1824	4580	Canva.exe	102
PID 4580 wrote to memory of 1824	4580	Canva.exe	102
PID 4580 wrote to memory of 1824	4580	Canva.exe	102
PID 4580 wrote to memory of 1824	4580	Canva.exe	102
PID 4580 wrote to memory of 1824	4580	Canva.exe	102
PID 4580 wrote to memory of 1824	4580	Canva.exe	102
PID 4580 wrote to memory of 1824	4580	Canva.exe	102
PID 4580 wrote to memory of 1824	4580	Canva.exe	102
PID 4580 wrote to memory of 1824	4580	Canva.exe	102
PID 4580 wrote to memory of 1880	4580	Canva.exe	104

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell start shell:AppsFolder\Canva.Canva_n2m7swxggd232!CanvaSetup1.exe
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2772

C:\Program Files\WindowsApps\Canva.Canva_1.74.1.1_x64__n2m7swxggd232\AI_STUBS\AiStubX64.exe
"C:\Program Files\WindowsApps\Canva.Canva_1.74.1.1_x64__n2m7swxggd232\AI_STUBS\AiStubX64.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Windows\system32\xcopy.exe
  "xcopy.exe" "C:\Program Files\WindowsApps\Canva.Canva_1.74.1.1_x64__n2m7swxggd232\VFS\AppData" "C:\Users\Admin\AppData\Local\Packages\Canva.Canva_n2m7swxggd232\LocalCache\Roaming" /e /s /y /c /h /q /i /k
  2⤵
  PID:4508
- C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
  Powershell.exe -ExecutionPolicy RemoteSigned -file "C:\Program Files\WindowsApps\Canva.Canva_1.74.1.1_x64__n2m7swxggd232\StartingScriptWrapper.ps1" "Powershell.exe -ExecutionPolicy RemoteSigned -file 'C:\Program Files\WindowsApps\Canva.Canva_1.74.1.1_x64__n2m7swxggd232\NEW_pack_susp-end.ps1'"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2952
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -file "C:\Program Files\WindowsApps\Canva.Canva_1.74.1.1_x64__n2m7swxggd232\NEW_pack_susp-end.ps1"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4816
- C:\Program Files\WindowsApps\Canva.Canva_1.74.1.1_x64__n2m7swxggd232\Canva.exe
  "Canva.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4580
- - C:\Program Files\WindowsApps\Canva.Canva_1.74.1.1_x64__n2m7swxggd232\Canva.exe
    "C:\Program Files\WindowsApps\Canva.Canva_1.74.1.1_x64__n2m7swxggd232\Canva.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\Canva /prefetch:7 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\Canva\Crashpad --url=https://f.a.k/e --annotation=_productName=Canva --annotation=_version=1.74.1 --annotation=plat=Win64 --annotation=prod=Electron --annotation=ver=25.8.1 --initial-client-data=0x458,0x460,0x464,0x45c,0x468,0x7ff67afdc208,0x7ff67afdc218,0x7ff67afdc228
    3⤵
    PID:1164
- - C:\Program Files\WindowsApps\Canva.Canva_1.74.1.1_x64__n2m7swxggd232\Canva.exe
    "C:\Program Files\WindowsApps\Canva.Canva_1.74.1.1_x64__n2m7swxggd232\Canva.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Canva" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1780 --field-trial-handle=1784,i,5561133973344779193,1224499623548939769,262144 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
    3⤵
    PID:1824
- - C:\Program Files\WindowsApps\Canva.Canva_1.74.1.1_x64__n2m7swxggd232\Canva.exe
    "C:\Program Files\WindowsApps\Canva.Canva_1.74.1.1_x64__n2m7swxggd232\Canva.exe" "C:\Program Files\WindowsApps\Canva.Canva_1.74.1.1_x64__n2m7swxggd232\resources\app.asar\dist\availability_check_server_agent.js" "{\"A\":[\"https://www.canva.com\",\"https://www.canva.cn\"],\"B\":24642}"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2388
- - C:\Program Files\WindowsApps\Canva.Canva_1.74.1.1_x64__n2m7swxggd232\Canva.exe
    "C:\Program Files\WindowsApps\Canva.Canva_1.74.1.1_x64__n2m7swxggd232\Canva.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Canva" --standard-schemes --enable-sandbox --secure-schemes --bypasscsp-schemes --cors-schemes --fetch-schemes=canva-file --service-worker-schemes --streaming-schemes --mojo-platform-channel-handle=2140 --field-trial-handle=1784,i,5561133973344779193,1224499623548939769,262144 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
    3⤵
    PID:1880
- - C:\Program Files\WindowsApps\Canva.Canva_1.74.1.1_x64__n2m7swxggd232\Canva.exe
    "C:\Program Files\WindowsApps\Canva.Canva_1.74.1.1_x64__n2m7swxggd232\Canva.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Canva" --standard-schemes --enable-sandbox --secure-schemes --bypasscsp-schemes --cors-schemes --fetch-schemes=canva-file --service-worker-schemes --streaming-schemes --app-user-model-id=com.canva.CanvaDesktop --app-path="C:\Program Files\WindowsApps\Canva.Canva_1.74.1.1_x64__n2m7swxggd232\resources\app.asar" --enable-sandbox --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3064 --field-trial-handle=1784,i,5561133973344779193,1224499623548939769,262144 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
    3⤵
    PID:4984
- - C:\Program Files\WindowsApps\Canva.Canva_1.74.1.1_x64__n2m7swxggd232\Canva.exe
    "C:\Program Files\WindowsApps\Canva.Canva_1.74.1.1_x64__n2m7swxggd232\Canva.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Canva" --standard-schemes --enable-sandbox --secure-schemes --bypasscsp-schemes --cors-schemes --fetch-schemes=canva-file --service-worker-schemes --streaming-schemes --app-user-model-id=com.canva.CanvaDesktop --app-path="C:\Program Files\WindowsApps\Canva.Canva_1.74.1.1_x64__n2m7swxggd232\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3332 --field-trial-handle=1784,i,5561133973344779193,1224499623548939769,262144 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
    3⤵
    PID:4848
- - C:\Program Files\WindowsApps\Canva.Canva_1.74.1.1_x64__n2m7swxggd232\Canva.exe
    "C:\Program Files\WindowsApps\Canva.Canva_1.74.1.1_x64__n2m7swxggd232\Canva.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Canva" --standard-schemes --enable-sandbox --secure-schemes --bypasscsp-schemes --cors-schemes --fetch-schemes=canva-file --service-worker-schemes --streaming-schemes --app-user-model-id=com.canva.CanvaDesktop --app-path="C:\Program Files\WindowsApps\Canva.Canva_1.74.1.1_x64__n2m7swxggd232\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=3760 --field-trial-handle=1784,i,5561133973344779193,1224499623548939769,262144 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
    3⤵
    PID:2476
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.canva.com/en/login/transfer?target=ELECTRON
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:5964
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe69cd46f8,0x7ffe69cd4708,0x7ffe69cd4718
      4⤵
      PID:5980
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1472,13712279997053202274,9389331575210930912,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
      4⤵
      PID:5156
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1472,13712279997053202274,9389331575210930912,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:644
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1472,13712279997053202274,9389331575210930912,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2900 /prefetch:8
      4⤵
      PID:4888
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1472,13712279997053202274,9389331575210930912,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:1
      4⤵
      PID:5128
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1472,13712279997053202274,9389331575210930912,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
      4⤵
      PID:1500
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1472,13712279997053202274,9389331575210930912,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2004 /prefetch:1
      4⤵
      PID:5584
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1472,13712279997053202274,9389331575210930912,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6084 /prefetch:8
      4⤵
      PID:5800
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1472,13712279997053202274,9389331575210930912,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6084 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2436
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1472,13712279997053202274,9389331575210930912,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:1
      4⤵
      PID:5880
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1472,13712279997053202274,9389331575210930912,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:1
      4⤵
      PID:4224
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1472,13712279997053202274,9389331575210930912,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6212 /prefetch:1
      4⤵
      PID:5208
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1472,13712279997053202274,9389331575210930912,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6184 /prefetch:1
      4⤵
      PID:5600
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1472,13712279997053202274,9389331575210930912,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5804
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.canva.com/en/login/transfer?target=ELECTRON
    3⤵
    PID:5260
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xdc,0x108,0x7ffe69cd46f8,0x7ffe69cd4708,0x7ffe69cd4718
      4⤵
      PID:3800
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NonInteractive -InputFormat None -Command "Get-AuthenticodeSignature -LiteralPath 'C:\Users\Admin\AppData\Local\canva-updater\pending\temp-Canva Setup 1.76.0.exe' | ConvertTo-Json -Compress | ForEach-Object { [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($_)) }"
    3⤵
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    PID:5652
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NonInteractive -Command "ConvertTo-Json test"
    3⤵
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    PID:2652
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NonInteractive -Command "ConvertTo-Json test"
    3⤵
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    PID:1580
- - C:\Program Files\WindowsApps\Canva.Canva_1.74.1.1_x64__n2m7swxggd232\Canva.exe
    "C:\Program Files\WindowsApps\Canva.Canva_1.74.1.1_x64__n2m7swxggd232\Canva.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\Canva" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2676 --field-trial-handle=1784,i,5561133973344779193,1224499623548939769,262144 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2384

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5440

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6dded92ec95cf9f22410bdeac841a00d

SHA1
83c32c23d53c59d654868f0b2a5c6be0a46249c2

SHA256
1840d5c60c79874359414677662439087173c575d814c07ebe661ae1cebb639e

SHA512
e13df653c0364be2b61619fe3d46799e10a565b41f33d3ce15e50397f8f9aa328e8c821212efe10cfe3b8283c1e8c7e9eb15f9674fc456837d6ee8c38bc8b0d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6dded92ec95cf9f22410bdeac841a00d

SHA1
83c32c23d53c59d654868f0b2a5c6be0a46249c2

SHA256
1840d5c60c79874359414677662439087173c575d814c07ebe661ae1cebb639e

SHA512
e13df653c0364be2b61619fe3d46799e10a565b41f33d3ce15e50397f8f9aa328e8c821212efe10cfe3b8283c1e8c7e9eb15f9674fc456837d6ee8c38bc8b0d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001

Filesize
18KB

MD5
656d8d1780f80060a9fb99534b6ec2ac

SHA1
880c5c1a121e1c102cadd1e826fa1d0240215fb2

SHA256
d1b64c59cbcf06d7efab6494b3d6a8b28da0dacac3c2a53922120fa845dfab68

SHA512
c7c852b8d764f775c73bdf668ec4d9e30ec2a8a5cae8a9190d6726af82bb914c4d5b5fba3e8fed4b09705e21b8f9dc85724be4dea4db5798d66a8ee6ca6974f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
84KB

MD5
faa6cdb69c74c23ef804b6462a9f767f

SHA1
243a6d87d7bc397a00f8ad3470085decc55cfcec

SHA256
ce438e6645957d9adea645b91729fce37729656f75b5c6c466759979a4553f49

SHA512
d27e8797ed063e629897e00bbc12f62b9a341792ed965c19bc61d17a46df34893be1cd5c8abf2f761b607a663fc0df94a94e00e16517739ef16eac7f77b09094

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
37KB

MD5
cff149ee1e9d2be50ac77bcd86769d05

SHA1
a1b8a95ddfe811a098d0298e83dd711e90943732

SHA256
c84de7e52d68bd3b651219e7085236babc85a0c7c79f21a14f0cdddbd0fb4b4c

SHA512
d27e713343f51a75e909b4a01d3f2ffb95ee82e13a1b21a9d3034d3858579e4c3febae76e1af706b820e51583254281e256b825f1742167e1e072dc59cdf1ae4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
309KB

MD5
2795f745b3c77d8b0f6c5cc46ae87655

SHA1
af799a6fa688f584051f5189a2626e3a63ab1466

SHA256
73b1e47cbe4764b3482e2795b8627b24ec8db35f091f15d0583ead0b57d2c7e1

SHA512
124c28b360acdc1287ae0d59a527f1a19ea1597f7c3925d29a0874c90ffa7ad517cd20fc4e44a209efabd0ac3b2c6d86eb681c9a4cdb049e742267b1c887862d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
600B

MD5
df04337be02b2328f588eb5bd45a0274

SHA1
a5f4b1780970227205356ad64d09d7cd26aa7013

SHA256
91d2725bbd3fac3afa18cd1eab1d01309cc0f52b6f35a39e5b38b643126e06f0

SHA512
4cfe798ec55b9a5a372bf18c6278c25ff7efab4fac99a79365bc73e36a3366e43a66890cb3b825b20b7e32e8e1932cf06b660486bbcb20f29e7c6e2113d59c92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
6fe5c32e0ea53dd47d6406851f226218

SHA1
88f930b6be7763e0032635d47f33be327286c168

SHA256
c161c4f56a98d7a66955cf9f5ba9f186604e57198456d24717fce3d6b4689e55

SHA512
11e9a9b67e0e48c16b9e6679b65be81e86f0740175d5fb731c2e40ce72e6de3071e82a910517bf4715fea785989d54622144095f4ed0ef78a530c14b607049ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
bae3cd8249b16cd25a8c48a7588d4648

SHA1
cc0c17e6c8bd9a74e0731cb343f6f9e386818067

SHA256
dcccdedeea2df82daa868739d76bd94f91f9f4cd17e41f50c0d020d7b6855e4d

SHA512
ddab657a7eb3d9c5082598c32a58b95e2e8666dec6e496cbda2ebd0d5c65627a0505d3de582bbbbf456b1ceac7c7f1a54fb84bbc197f1239c636281a84907a1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
207855c85399fae262b94597f909fea8

SHA1
8a75d4089245f9b27cb72a955254cdfcbb249d9e

SHA256
be57a621602f8ff364304fe0f6161977e45d54824a61884e590d942b18dc79c2

SHA512
b77557a0c8752b1860811d1bdfd914a25f2aa5b28054e63f4e54860d803e1359ff09833b8cab9d9a6413b507c2c064674c6bc44e059f1ce6b5e450bc0769722a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
e05436aebb117e9919978ca32bbcefd9

SHA1
97b2af055317952ce42308ea69b82301320eb962

SHA256
cc9bd0953e70356e31a957ad9a9b1926f5e2a9f6a297cdef303ac693a2a86b7f

SHA512
11328e9514ffaa3c1eab84fae06595d75c8503bd5601adfd806182d46065752885a871b738439b356d1bb2c1ac71fc81e9d46bd2d0daa1b2ba0f40543bf952b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\d1394a4c842f7861ad7ae5e20da4b484a0c4acad\index.txt

Filesize
77B

MD5
9ec7eae01654acec1ade01fc795084c4

SHA1
a11440ea7512f1daf4e6c5921a84342170ac040e

SHA256
7a561fcd17cf976dae23bdfe24308a8a936cf7b88ee0bd19f913f050238743c8

SHA512
222e8929e46cd8b74b28f47c681e51f3ce80b625c000999eb6b44f9e11fc697860242486e263fec83f80ae40e953421d1d9d86109467ec792823fef97d395702

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\d1394a4c842f7861ad7ae5e20da4b484a0c4acad\index.txt~RFe594bf3.TMP

Filesize
84B

MD5
53a93ce158a7a5e784703613c8ea751a

SHA1
bcdb0854afbedbaf246187c06b509fad2fca96a5

SHA256
dcb112cf1a5bfae51e4a7af0866bda0b95ba38866da5b8f7eaa4bb9ff8b83290

SHA512
180211e13c6defaf045a902f1cb1db9d322f0d9414b606ccca7460a73d0d8a85670969c856797e22dca45249afbf73f4d525d6e591223d5ec8cb6e906a887f75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
360B

MD5
bdf7d52582f358f6da99e84f4684ea34

SHA1
a6f384a891ddd7a76e30c8b8931846013fbd22f6

SHA256
21fe0d95e22051f7e87f924ccd677a49bf4579cbcf076665a982a6cbc6383ba2

SHA512
e383542ab1eb81da6a1f03acd9b078790bd03d24d3a80c3500215e2049a0d3e0aa71aa135737281ed20f515cc3d5a7f091f1f17f1d6352ffde07a8ab5c8750ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5950a7.TMP

Filesize
48B

MD5
54723a6038a52117ad1968d71760db78

SHA1
9eef7455e2ee7944e89fa946bf0a5941bd774c0b

SHA256
81b0b67cd55d9decef7a7143a769dc0376f1c64e225c24985acaf099d96c4355

SHA512
b3da7707f7a7d3b55506cd679c53ecb8f8b655dfd6a00c24def3f95e9a73dfaa97c6231d421c5c0bda8ba68f2e7930929ece8ec106de147d9ca06a6b5ffe5d83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
704B

MD5
dc838e82da6eefd65d49f35ce673edb4

SHA1
df44ef12dc97b8beb6722562e3272307c3bb718a

SHA256
0f66019e62ce56e10fc0ad9a45d3387a94929ef2201e9c5f0ee059832b2a5f0a

SHA512
68cb634af7523411d9e1f6ff84caf62fea28a156a34519bdb6d8893aecf375f9d978b40be0ec069108f25cfc57a737f154b3bd1988f432f6c855241fe65a633c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
704B

MD5
ba921af0b7419d094c4839b8ca8fc9ce

SHA1
ba8e6a5c207da7a6ed44344cb492677585a58f7a

SHA256
6e662d38ac81423eead56ab4b1b2c577e67ccd14f60e0a24ffec0021b568b478

SHA512
844f8ca15b8b6f580f31df0a06b73333264a56f2741348cc7c7e9b5d2c44d267489666d2fbe94db5f3343665c5a8a85421a0af84e104be899d7e2a0edfc6fa5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
702B

MD5
9e34892a12e62fdae8f5f9a993817f5a

SHA1
97a849acf5e196a3d0a9a022f6ba4726d3e336c0

SHA256
0720d07342bf0f626e9fcd6a773b8a2a66b55d9d4be1c4a328922e26b17f182b

SHA512
aa9a9594d832e4109805897b66e27a50a20332848f91503b695d74cfe67ae21af44236e3a8f7dddb4f72465a98e7592ede3e465c95c4f50ed3df61979dc54e97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
702B

MD5
8d09fc78e678d16501f3162eb7d45e9a

SHA1
ca81d1739b5a1a56700c8c9cbe3708e1742948c4

SHA256
75aadeb1a0686d2ebf1dd34a3c45cc123d639be37f2de14927d69d36faf3a2ef

SHA512
784c297cf08ccea743b89b514db91bf834a60c708f69fdc69c48e84696544aed3e9ec0377a573109d4bcf6eedcf348bcc2c0adc849a16fd2d59054c46db85796

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
702B

MD5
56b300293a623ea8d12716d258593dbd

SHA1
8c951938386f9524334daafefed34e831c00b799

SHA256
1999d4914f862877e20bb158eef0388565fcc9ab3357b1416ae5c62ec1c4b1c3

SHA512
58b67270a44bd9580cac945a1e3a730aa6587c29030d78bf84b5dcb248937c8c2fa3b383ae7ecf820134d1ee5c1fc6f7618c93d99f3a650a5abca284b4e15fbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
704B

MD5
d8974e05c3e7d8d0d95503b37d16500d

SHA1
cfb6612bfb4bcba9b92e179c00d0d9669b0a7421

SHA256
11c8741ff4bfe82674c899eceeb2220986a3215587e2fe6ced436ee73432e676

SHA512
89972ec7e7cc4e34d61f75d8de20f3dca4a1a2277879c34ad1d7fc31ba277e5ee2d45dd2e011c0bd9559e2d5f822e73089330c225530f47f52e3400a9bc8bbbd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
704B

MD5
c4369397b40d8bc77fccbfdc5208e1ad

SHA1
6f24326d70074acc66b22bc8901cf1696fcff7f6

SHA256
de007de4fda4b53c9c6acef3846832102df7e705c0a744611d60925fac2dca2a

SHA512
6dd729452f9e51b3c73aedf50f54d04fec00b4373d8b9407f7a0531901a71bf8648c7b6773e9843d1b05b0277fa8bc25c79a63210515e7a9087cc763686a74e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
704B

MD5
8188a081b33b77af7bd18585dfa40144

SHA1
b6a4ba47312616fe18bb4f8fd0ecf9e80248e046

SHA256
402b23df30c7b2dd3888ac009584297dcd34ee881ceba2e01f9d05270908669e

SHA512
3a6e2c713ce9f03ce2d01545ff75906ec664ebe0f466fe13d8ea84892f228670882f583f3681bf3cbde18a67b48bc4162ea8d1227836ca2319cc99adf29462a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
702B

MD5
79a7b063a36d7975236a9de2746c6bd5

SHA1
fc882c6e81ea562698463fc85d9ea88b6db80e59

SHA256
ee0987fa96827e274dea6b74857fd5cdce6631d9e121009b282b1648ea7589c6

SHA512
02f19b5ac5e0bee5a803865e560d4805a2fb96dcc8c8ae9c5a09039a4b4482d95e4859480f1a1026eeb78932ce7bc2b4d6d11dae385a2abc8700b4acd99c9cd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
704B

MD5
4e31fc15961b29e8ea78146688bc647b

SHA1
3c76af4f076366c85608669f77bd7d0660601458

SHA256
48ba424f331ecb6b421a2e74e5e67d228f6085d8e7762de519c010b60c3de2e1

SHA512
257f6e462b74e983c26293f3b9df11a911199775d07ecb0f2079be4190fe4dc66b183c3f0ef1d7989bc18fbeb2990321453ae23bfa20c8a973f80117175a0a3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
704B

MD5
4038f407c2a3d547a07c3a09b219e711

SHA1
1e7378977ba9c41902abfe7915fa70a518380227

SHA256
20a508ac88cdfb4dcd2c3a0f83a26231b5035d8f90ea2648a46433c957fb3ec9

SHA512
bf43ce99f93c7463a1d6d526438509c99c0aa58bc4a18a72e70056c9137478898593b8a6ece903fab4c8e2ab2784e88c65446914fef050de0e57fba9f7d1fbc5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
704B

MD5
679243ce9604a8e7b907624a781338bb

SHA1
01089412e836732c0a91cfa43cef5fb3a2be0396

SHA256
e788c4d032921da07863cb71d7bbcc0a078b5e8485b6a8f3ba06ac469c7c578a

SHA512
00ef351dc1616d1f90c21b6cda2b47bbac276e2781b7229891ef34399d4bf5548d598a1c0005a1f8c8c782df5e030fb97cb8d8f31598384246c4d1f0433a73af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
702B

MD5
fdb815efca9fe29ce1a0f57b497fc783

SHA1
53252d6e212e54eab9ea9bf7256acb761ab4e021

SHA256
e2504a2ce454e52cebddccd4b3ebbf09d3da1ba448c5cf642a7114bbfe654cee

SHA512
bdc4efd95e9757a02d66449d2a51614164c49c971d857fe6e4cc57e0064a12408ec6510b248968dc72989e5b05e58244181aba25f3854da9e5b5d8587e9b9d90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
704B

MD5
594c900650eca0d29021eada85239309

SHA1
35f59477f677fc3abad01ad06938e3fc81417690

SHA256
d04324b9eeeb490fd5a295e6b3bed9811d7d547687fa1e88d6b355435872efd1

SHA512
18507762f34a12ba0652d950c15fed86393f80e26156a9743235bfeac645f9f121f2b4f9da7a81daa9f87cf2be1c4d5174ece0ed920f57ecbce32ae09ce5e0fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5923da.TMP

Filesize
537B

MD5
b397534c3ffc5004d6b3bd0f22b9fd65

SHA1
0f8e1efac391e35acd139ec574347e4136c18a56

SHA256
13250a6d986fcf6e00fec0c4deb52ca4027e5fbcbfe9e1f994c1c0a98bee6b14

SHA512
c1c65e548c0681b6140df7e59d0ccb48d355af55b8ad8b2775379520e90a77fccf7525908ef49f81200832671d3de5b042308331aedf002e9bf30aec9d84d833

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\fbd0a03d-d08f-4c56-9c80-bb2801e09e90.tmp

Filesize
6KB

MD5
7136791d56e903d5c1350a9cc85e064a

SHA1
fbfd75838434a26a39d8c30193fb1e696946e055

SHA256
b29722a38e35f7a374164b9f1dd193899294b89418faefa8797908103b3721d6

SHA512
380364db2e0280da2414f5a080a8eb711484e533ae421d66f9730a94ce9e3f1a90f2da2f1f6f4fb4a962b458dd8cc3a634e218133cf399d9462b0d2273112590

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
351000b5fa3675ca870fc23971b772b7

SHA1
ad078828ee078c2fd177843e306bd89c0fa3fc45

SHA256
c984351cd903fd095f06b46a39c5fc5ecd654f12f593d65f3bdfceb4f493607c

SHA512
f7dba0eb33f411f067772177b75d00b2fee29294b0975e58b86cfef4a58d1bf6fb9cdc1d0123782f5966890712fc34bc3a1262fa3dde7b221639ed148d9deb68

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
f99d44079e0f595672dfd654e197d32a

SHA1
6f6289c16f910ae3f61eef83a0af3797f566d865

SHA256
828e57dfd02d05013799551a92e729230a0f6307862b31d8991b87d1d590bdfa

SHA512
e51f31133a1e2713aa4dae6ebadcb57e979204f451764524181ddfa1ef49be4c37c36b4e04ea679ff5d16542e5ac588254c876a69790550fc57a2e8787d95f70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
63e62e02ee9c90b7adfb2eefe7efa04f

SHA1
9bc1eda86f7f95345c2a3901288b6867447dee6b

SHA256
cbafbcef08446541d49da9d11842ab860628a7d317db15f570b7b1e1048ade11

SHA512
3d2bf16c2a9b42e28dc9d2c18d6d697d3749b14f2f6c708ea9e587022aeb5fbbcffaa49c4f4f994f1cd1f6c886b8d8b6ab3a29d3b65fe0659ea0f2fa9d47ba52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
63e62e02ee9c90b7adfb2eefe7efa04f

SHA1
9bc1eda86f7f95345c2a3901288b6867447dee6b

SHA256
cbafbcef08446541d49da9d11842ab860628a7d317db15f570b7b1e1048ade11

SHA512
3d2bf16c2a9b42e28dc9d2c18d6d697d3749b14f2f6c708ea9e587022aeb5fbbcffaa49c4f4f994f1cd1f6c886b8d8b6ab3a29d3b65fe0659ea0f2fa9d47ba52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4487e732db20b9cb96f8376338a6e4d6

SHA1
326e398f671c1175191818a1f8c160c18e3b740c

SHA256
7119225a38fa26d43b69f7ccfd304a52661ddfb4d710c98a75df64bed956bc6e

SHA512
cd745c13723709c904e0ceb27a2d3aa715cc04526b9243e0f8adb65bdd18dca61306060d484ba02293b325be995468a78d58e76fde40ca7f02f82e5afe11b241

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8038fb63d3a45965fdf588c063be016f

SHA1
ded4e94e179002024aefd709eb74fad7cdb6168e

SHA256
a42dfbb672487ac52e3ea3aaea6a51ca9f3287bf29feaf75a177e78634b2a791

SHA512
d0eafd78029ebedab5cc40de35467403200a810bcad52c8f469839ef3a2a1c2cddc44ba63c19d6b1e86ea0f7ecc82503534517a4ce2e96d5356a67f4d01ab45b

Download Submit
C:\Users\Admin\AppData\Local\Packages\Canva.Canva_n2m7swxggd232\LocalCache\Roaming\Canva\817c06b4-c0a9-4069-b80b-136e4e3c2c77.tmp

Filesize
57B

MD5
58127c59cb9e1da127904c341d15372b

SHA1
62445484661d8036ce9788baeaba31d204e9a5fc

SHA256
be4b8924ab38e8acf350e6e3b9f1f63a1a94952d8002759acd6946c4d5d0b5de

SHA512
8d1815b277a93ad590ff79b6f52c576cf920c38c4353c24193f707d66884c942f39ff3989530055d2fade540ade243b41b6eb03cd0cc361c3b5d514cca28b50a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Canva.Canva_n2m7swxggd232\LocalCache\Roaming\Canva\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
d666fa752fe66860580a6940ee887d02

SHA1
0e32051f654422d471b1d00b3ba5be14234a2b05

SHA256
2027aa9091b6c8b929e8af3f1cd6b7b40be4b60419ef05044e641cd524a9e248

SHA512
4b39b5bb89174f00b3261cf890eb0bd920b11192a60890b0769fcdc9c8c5bf5a894e21ba005741686931f967552bfe44da38327353c8909dee6a26718250ac7a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Canva.Canva_n2m7swxggd232\LocalCache\Roaming\Canva\Code Cache\js\index-dir\the-real-index

Filesize
552B

MD5
7790bfe9018727533a9cae66c7c3e293

SHA1
78e1a9a0b64584c8592d2ff0e6571fea8a6a35a6

SHA256
40585380c16c99ebccbef6abff3d70348aa0917b1fa8e57318fabda1ef1e6856

SHA512
aa4a1295db6989a29e818f2d2b38f93167a0bf047d3f4be24bf61196cff48e2239c29bf30a4d48a2b03300f446befbfdab15625d47ccc705982e462322705a0b

Download Submit
C:\Users\Admin\AppData\Local\Packages\Canva.Canva_n2m7swxggd232\LocalCache\Roaming\Canva\Network\Network Persistent State

Filesize
1KB

MD5
689b53d2dfffc65f59ab04aeaf041262

SHA1
124e271ffea20c481055bc7d80dce9373035307f

SHA256
8a2d705f9131a847c4f55a07fc80c84b720ea1bad50fad39aa226f0e1fb03e75

SHA512
d08de9b51b170aed46988fa53d5249d9be0b6bd8ebf048f6239fbc25d4f353353db4919562da2ad2fc838b371b00a9876db96a2fd458c427de84ca04d2a29b19

Download Submit
C:\Users\Admin\AppData\Local\Packages\Canva.Canva_n2m7swxggd232\LocalCache\Roaming\Canva\Network\Network Persistent State

Filesize
1KB

MD5
21e8ab9b0be131ce7d37ad37d392a270

SHA1
2a51a1f4bc2f19b5a9fcc59047e5b00cb0321e7a

SHA256
d9922d411d3099f6f1b54db93edbf25d65f23758a86a65d9b7c885c47653ac1a

SHA512
21e7a5362346d3cfe6deeb4d1241a2e0357432d24cd08b03b1db6b58178ef77fbfac9cf7f7152f6649f8fb565322f8bf5724b82651d4f7ab65976a4d800a03d7

Download Submit
C:\Users\Admin\AppData\Local\Packages\Canva.Canva_n2m7swxggd232\LocalCache\Roaming\Canva\Network\Network Persistent State~RFe59b0a9.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\Packages\Canva.Canva_n2m7swxggd232\LocalCache\Roaming\Canva\Network\TransportSecurity

Filesize
848B

MD5
f599627fba30d96bb5d3419404971ab9

SHA1
00d1cf0ff1ca58b9f1b584cdcbc169ab11d4ff15

SHA256
1ff0f1e5d2e1eb10873244c0913046ce5207ee6bb790697d31a623d53b7d99ae

SHA512
ee7f03793d7564f07a04c4188680224fb62df5de956ab6191cebc432dffea00ac4f2fd1398b7d7b4b099e5c81ad80e58482ab12caa5d61ce91eed5ad2feada7e

Download Submit
C:\Users\Admin\AppData\Local\Packages\Canva.Canva_n2m7swxggd232\LocalCache\Roaming\Canva\Network\TransportSecurity

Filesize
848B

MD5
e6ae45f0b2156373bff2653a108dbc3a

SHA1
27f621e53a93d7b53e43eb55c0134b7466d5f74e

SHA256
bb9e8f10d10634c5cc7e89f9eebee2b883628ee053f0bf7e6e5607fdd83c0998

SHA512
a164ea93a77865f5b4afafaf1bd6f60ceaff6237910505aa79a1eaa6bd1f3b4048fc492551d75a56da50e8350dd4a280f54ceb9e8376ebe8c7ea355937d64453

Download Submit
C:\Users\Admin\AppData\Local\Packages\Canva.Canva_n2m7swxggd232\LocalCache\Roaming\Canva\Network\TransportSecurity

Filesize
846B

MD5
bf04fe5cbc8d61360e9270f800ea48c5

SHA1
7af573eaef618416b58723be101ed4c4fe5ccacb

SHA256
b1d9a357132765060664c4ed3fbaad972f98e7d636bc53e077f8566cd4e14259

SHA512
3073ec2153dd68f1b3e43b609b3e3168882b05d5679d57d03d40bef312e1362f9ba28b5ad7379383ff1792709e1a6fa26cd02db4278309207b65d70d0d381be1

Download Submit
C:\Users\Admin\AppData\Local\Packages\Canva.Canva_n2m7swxggd232\LocalCache\Roaming\Canva\Network\TransportSecurity

Filesize
846B

MD5
7bc0111a882db8206fa199b310c3af4b

SHA1
f98d4110deac68416c95b2f7e56261a2da1b5ef3

SHA256
2e3783b554de8d8bf4b40e555f3841334de5d6c96904c2a2b9c1f6ddba3ff55a

SHA512
7ea800adcf2360722e9df414670339728b56ba9eb0d959c4691092d5ba3ae30be9e5e6efde3b0eb30b344c9a7b99dba7ee0188656990b343dfb28a5f3e3c7f19

Download Submit
C:\Users\Admin\AppData\Local\Packages\Canva.Canva_n2m7swxggd232\LocalCache\Roaming\Canva\Network\TransportSecurity

Filesize
846B

MD5
7e218ad208aaeb7f0a0536b33c5d9405

SHA1
de6ff28ec90f55469027ebb8d240d1f0ed9f54f8

SHA256
2b9be5e26a03cd172d0f782c8dd584d8d0314deb9b968b4a6cb42d2c808afc54

SHA512
8ae2f315f05f4a6e5f0650fcde00bac6457c3afdb8de54a472d5d881a0a6de3cd02e08abad9c392c23e4c5998f67ddeb77110f54ca131e430d06cc320c7fbf6e

Download Submit
C:\Users\Admin\AppData\Local\Packages\Canva.Canva_n2m7swxggd232\LocalCache\Roaming\Canva\Network\TransportSecurity

Filesize
848B

MD5
469615c3f5c342ced992adf891ba7dbf

SHA1
a52b8c7bfd691f9641491673d85b8bc1707390e5

SHA256
4a833d0d9b90fb9743f79315b8a158bb7830c76e3c008492506a58dc6dc7c925

SHA512
50f8589c0b8493948713d0ce83b3decd435d2d6bca4af85dbdd7b19ebed1217b1d51ecbff77a8415e2feadc44df117dd59132c5745e936c3ffd4778bb711dc71

Download Submit
C:\Users\Admin\AppData\Local\Packages\Canva.Canva_n2m7swxggd232\LocalCache\Roaming\Canva\Network\TransportSecurity

Filesize
848B

MD5
2508ccca1cc9bad66df3064c78005eaa

SHA1
56a62e2783a20f55d81f7f5355698205a742a660

SHA256
38bec0f4f34f629ba28b0083e548c0d1d856bbc4d597c27db107579b2c08eca5

SHA512
67b76a1d42a7a8b877748607fba77576d65eccdfd9008db2947dc22fd6d3a7edbb21bd2700016dc4e7c0a5f645f45a5ef792a3f85e5a2c4c8286508e1d48b49d

Download Submit
C:\Users\Admin\AppData\Local\Packages\Canva.Canva_n2m7swxggd232\LocalCache\Roaming\Canva\Network\TransportSecurity

Filesize
848B

MD5
751c7a291e8f27d40f694edd661aaa16

SHA1
4b0cb4072ac7fda7ce5e318258ce3c457a465551

SHA256
45c351bf7ead92ffee48929f86cd8639a042cf56afd709935d4e6569825ff5da

SHA512
454ea11265e736f54c85ff2fb5322d4700865e982cbd7d4e50622cb99b7066380884183b40e4c47be9750adee245676ac359cf61d34b35272ca46a3ba92e452c

Download Submit
C:\Users\Admin\AppData\Local\Packages\Canva.Canva_n2m7swxggd232\LocalCache\Roaming\Canva\Network\TransportSecurity

Filesize
848B

MD5
33279aadb6504e608588bfc2ce7c3cc2

SHA1
e78d1055b4099c34844ce12ac541a902e634c7c1

SHA256
c35b297eb08452519273e86f247ed19c9835a8c372e22f519ec95c870611a87d

SHA512
d472410dd89cb9efd64f97ea1c22d5fd6ac78b4b5388c8ab74dddeb1df8129e921ce3a4174b9311e8b21149c3c4703bdb5b27995cc2dd48026adb6d7d5921d7e

Download Submit
C:\Users\Admin\AppData\Local\Packages\Canva.Canva_n2m7swxggd232\LocalCache\Roaming\Canva\Network\TransportSecurity

Filesize
848B

MD5
e6685ed9d4364da8ed0ba3a88aa1108e

SHA1
a9a5791f84a5993bb8e8dd5de6ed97fbb90d7996

SHA256
01b64647b00023fb2da78eb7f3fae3543ff949449c538c6f5fde9f9c976d9036

SHA512
c16971d708db09ae32c1afcc8d6cb285abad112100161431369ceb73812583471e50b020d082edb9785035d1f829bbce6a8e75fb14bf4a5e401474a6db945858

Download Submit
C:\Users\Admin\AppData\Local\Packages\Canva.Canva_n2m7swxggd232\LocalCache\Roaming\Canva\Network\TransportSecurity

Filesize
848B

MD5
9f9dcc50cd902b364bc7e842251f3653

SHA1
4a5eac1905693d892a697df4211443ff38f6b4c7

SHA256
5b807059ef1b24b0d5f37cb34c7f5892077e0876d6601f03dfc73ddb7165b779

SHA512
27f067f5a6c60fdf9c23db4f45178d2ec12281f99f66c04c9eb444fd41d5615f92ca595859a1ac01d62181bc23f35fb3a816d43093c3683db2024935f0b4f692

Download Submit
C:\Users\Admin\AppData\Local\Packages\Canva.Canva_n2m7swxggd232\LocalCache\Roaming\Canva\Network\TransportSecurity

Filesize
848B

MD5
483dce911cb9dd1de8974b0340994159

SHA1
fd9fd676f0b4445d7744ed4635804b8e1bfbe689

SHA256
e96d2cfd1b163e436815da474f0393bdd364d0cb8fab719203f06662268cbb57

SHA512
afcf797184b52fa658420a6e7b526c33a5c8d031bd6aa72477640046f041c452419c1c90ca0920ec24ccf56ecfc047457adb912f5a09b34d948d710b6db3dea2

Download Submit
C:\Users\Admin\AppData\Local\Packages\Canva.Canva_n2m7swxggd232\LocalCache\Roaming\Canva\Network\TransportSecurity

Filesize
848B

MD5
ef919eb0dc05b132ef731bd84df74ce6

SHA1
93111aec07a77d4232da35e51d2db617e13d3a2e

SHA256
d118bdcea1c9d9afe79266f6aef3219311b3142dc71163074595fda6e39c6329

SHA512
92677cc514ae99790a3d4b7de749ece493929ec71e55b61dedf7f914636b1cad246dd48898f99b7ee3b9af2272e70b31a05c57582ba0635e6885be1df730a8e0

Download Submit
C:\Users\Admin\AppData\Local\Packages\Canva.Canva_n2m7swxggd232\LocalCache\Roaming\Canva\Network\TransportSecurity

Filesize
848B

MD5
06eb509b7709853625683e1dc0ce57c4

SHA1
ddbd8eea2830f29165ca0d646291656aaae2e969

SHA256
1244ebd6411fdc28d061fa757606d918921e701ad09d4150013ada5795349410

SHA512
f6945fc66f94dc3954a2622ca26f2c2739dbc8e442dfc014765c17324ea5e1afb214a6ebc490535d685d366915deadec39ab2639196568c1c2d7d6783f010ab8

Download Submit
C:\Users\Admin\AppData\Local\Packages\Canva.Canva_n2m7swxggd232\LocalCache\Roaming\Canva\Network\TransportSecurity

Filesize
848B

MD5
a4a50b15ccb996df62758901e7d56023

SHA1
618335f992c02d6d0d0c98c9e23d471d36863b98

SHA256
681bf9dd7eae6ef240c17bd6205406cc5680d08f6aaf8f1ea61db8f203c5ed48

SHA512
56152df735f702e4c7dce564021c6b3b2cb20bf23392126936a03dfaa89b9c5e11d98c4ce41b0ece967826f0fdb83abefd561ec5776df35eb844c231670f7afc

Download Submit
C:\Users\Admin\AppData\Local\Packages\Canva.Canva_n2m7swxggd232\LocalCache\Roaming\Canva\Network\TransportSecurity~RFe58f855.TMP

Filesize
846B

MD5
dd54e4bbefc04fdc6abc10d55015002e

SHA1
110bbc1c218c8e0220e592edabaccf5acc8eaf35

SHA256
2f386d14d9d2397ec5825d829487974a169d84466b8fa5b77de6b3864a8f92dc

SHA512
556fbdd80644b3d4f5102ddf50e1a3c60b5e1f9d1039cc81153561058e67a6221fb37f425bfe953c81d1c4bdeb62e42edd84ba4991743cf1e8a4e2512f8b71b4

Download Submit
C:\Users\Admin\AppData\Local\Packages\Canva.Canva_n2m7swxggd232\LocalCache\Roaming\Canva\Service Worker\CacheStorage\d1394a4c842f7861ad7ae5e20da4b484a0c4acad\index.txt

Filesize
105B

MD5
aa6bf0326586feda286bdf4ec5f5e1ba

SHA1
a63c9f0ae97c46dc88ea7ead1f2d9733f885cd32

SHA256
7aaef34eef4ed444284139423874fcd87f0476afa1f0058812bb477663470646

SHA512
e5a6ced875514310430006352b8763b82c07bee61be8bfc1b8f775bfc5e8d3521069d176161b2cbfbb36dfa043a4a462fb76339217f425c8159953e5a85deb91

Download Submit
C:\Users\Admin\AppData\Local\Packages\Canva.Canva_n2m7swxggd232\LocalCache\Roaming\Canva\Service Worker\CacheStorage\d1394a4c842f7861ad7ae5e20da4b484a0c4acad\index.txt~RFe58e7da.TMP

Filesize
112B

MD5
47fb0fc30cb379dc56ef5f06fdffa064

SHA1
f4393dd06ee8126add95717e6d719b485d054995

SHA256
6163ecd55aa4bb2372e56bc36260982d9ec91e6111dc55584cadb1aee7ec8e85

SHA512
bf757793966a93649b2a6166a2140d3380b62bc27675b49067448dd46384091b4a8a1ca448e64f104e0093071541d7a07d8c17abf2e0d9c655e6196a7160051a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Canva.Canva_n2m7swxggd232\LocalCache\Roaming\Canva\Service Worker\Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Packages\Canva.Canva_n2m7swxggd232\LocalCache\Roaming\Canva\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
360B

MD5
520537cc742660a948e7f983a3a2ec26

SHA1
d1a8f6d6ccce7c46c2392bcd73e4b98cf93dbd83

SHA256
e37ec38176e592f6b35b8dcc9ab99e5d69033de990fc4feaaf76b22fadbf37f3

SHA512
6fbc4d88c9f33a82e53e59859cec7ed17c10cc3174cb28262230168fde2fa913f2ac1b9c4f268017c866c28fe885ffbd8fdb31f32590828a3db949bdd1fc6031

Download Submit
C:\Users\Admin\AppData\Local\Packages\Canva.Canva_n2m7swxggd232\LocalCache\Roaming\Canva\Service Worker\ScriptCache\index-dir\the-real-index~RFe58eb74.TMP

Filesize
48B

MD5
e00ed3aa462f283447278a1b81128e5b

SHA1
db64c9bbc233d9fe4bcd0537199b38f980e9d10c

SHA256
c22eb85dd883472bdb70014eadf84dfe389ad09fb8fb5d16ca151ca237c09e80

SHA512
166b777745ffad7966d9854b26972c4a5e48cf598048760e033141d025d114c15df0cc62e5f9dafed1502298a623c0964bc5007d55695b980e30920912f56567

Download Submit
C:\Users\Admin\AppData\Local\Packages\Canva.Canva_n2m7swxggd232\LocalCache\Roaming\Canva\Session Storage\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Packages\Canva.Canva_n2m7swxggd232\LocalCache\Roaming\Canva\logs\main.log

Filesize
2KB

MD5
6a23b3f56561dc9405690c8d0d9d83c8

SHA1
cd31a9cb1da30a5be01618c816d8a1937801e42e

SHA256
b2a0f15cc3d54d0a7471211e9ac0999b0c2372ab4721c33dcc42bfb590086738

SHA512
94cb68d83a8f2a36f1c313e790366c5f2067093f14146d4ec1b2e28dad77399a07decfd04032ea22e47859102229f00e6439c08a27034e1cf8b5ee316c3c5520

Download Submit
C:\Users\Admin\AppData\Local\Packages\Canva.Canva_n2m7swxggd232\LocalCache\Roaming\Canva\sentry\scope_v2.json

Filesize
5KB

MD5
80a666afe34e3e03d60275cf417e2fd7

SHA1
91e7fd8a837c61da919b14d55502db175eb397c8

SHA256
5a866c9186390d4cf7fe24f517bc483962c3a3fb113d07a6fa2df299f7454371

SHA512
11c8bf07cd02f956e65e3c36c235d253317d744486d321cc16b65ed6ce887fcf68794eeb49f9aac3dc66709bfc99d473b88498851f78d13c588511197ae67cb6

Download Submit
C:\Users\Admin\AppData\Local\Packages\Canva.Canva_n2m7swxggd232\LocalCache\Roaming\Canva\sentry\session.json

Filesize
248B

MD5
e4e2d7d35fdb99130347b791df8d2947

SHA1
50bb21354d0ef32a73082dca88b0a0a73145a351

SHA256
ae07a786fcedf33d8b847888e2a38f8840784b2bb3303f086efa4550cb09877f

SHA512
2993625c5691a2bdb4aea2a4ec43e9638a5eb397e83c4503ed099ddbf7974378087c99147fcf0288996525cf73f84d10c9c11ae451c5649da815c5d513eb692d

Download Submit
C:\Users\Admin\AppData\Local\Packages\Canva.Canva_n2m7swxggd232\LocalCache\Roaming\Canva\session.json.tmp-88655123501e4d92

Filesize
33B

MD5
b94a9be07f892435906c0a588761109e

SHA1
9f859c7b9518b6985d29316d8be3ae3370c8815c

SHA256
6bf37ce811213434ccc45b70c0ee89133c033aaa07e51bbc31f0a01677db604e

SHA512
7137958c085b926555b1b040507f6781833c0158c9a909dd21fea01ed126acd2dab8a952b57578fc6e5f21b587905a513798b9d2be69e9e6fc8ea921eea092ae

Download Submit
C:\Users\Admin\AppData\Local\Packages\Canva.Canva_n2m7swxggd232\LocalCache\Roaming\Canva\settings.json

Filesize
14B

MD5
5a225b2a9fc656876d91ada6670a42a1

SHA1
fc477f47a04e3825ad933831466f5f22334c8353

SHA256
3a37107dae311bfef329e6186a4e838d35c73c5c13bdabb66d659feec2d6e8a6

SHA512
9a1fc8df09fd220717b80caf14830af024f71fb45cbbed2e3d6dd6d5c651efc5ee47dc09da2ef84d9e8e1abd2c4ea6edf033acf882cbe8dc481c0345bee341c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zi5je3nq.ozk.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
3247ec5eb742c3e6e2042f6dfa79b8f2

SHA1
34cbed0ca3f15c1b7bacabf308354efc66bd4af7

SHA256
157135ef9a80dd651fbad52f856d6bf94d530c6a8b0f1cdf8eaecde73e3cd806

SHA512
108eb9f3e22343df615597bcff53c42a45d45f083c584bf9fd3785222226d604427bf4cbafe60217121a45af253f4a959e49a50f320d495769822a3f2f8f6848

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
3247ec5eb742c3e6e2042f6dfa79b8f2

SHA1
34cbed0ca3f15c1b7bacabf308354efc66bd4af7

SHA256
157135ef9a80dd651fbad52f856d6bf94d530c6a8b0f1cdf8eaecde73e3cd806

SHA512
108eb9f3e22343df615597bcff53c42a45d45f083c584bf9fd3785222226d604427bf4cbafe60217121a45af253f4a959e49a50f320d495769822a3f2f8f6848

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
728af1a8cabd309bfe0f1922e239e4cb

SHA1
40b31775cd6d8c2138546e1bddfcf592315233ff

SHA256
604861c6e7aa6598cdc4b3de5de7fa7307dfbc3dccda0297f54c0063e7cc4c28

SHA512
035dcec6f671a23e398db934270d67dccb4c98353a476b6c91f9eda779f63d11e8e1a2ebadae1717fc59287abcb65da62f655d5736f474aaa6b6629d0ae641e5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
21624ecc473d5a9c7609756899926024

SHA1
66c6e8936caadc0185944aa97d97325ac17bf5d4

SHA256
4d55f6d5ff903d192b753be7d4f4341a2811c0f9da2ca12980e38ae61688423c

SHA512
41c0abb37db366c392cbfb59cdb9bc98152b2ae9f6c15178798170db19505f8c9aace27be39745b5394f674fb779038b048ce6184a9242908ebf87ff68f2112d

Download Submit
memory/1164-400-0x00007FFE87210000-0x00007FFE872CE000-memory.dmp

Filesize
760KB

Download
memory/1164-57-0x00007FFE87210000-0x00007FFE872CE000-memory.dmp

Filesize
760KB

Download
memory/1580-808-0x000002136E430000-0x000002136E440000-memory.dmp

Filesize
64KB

Download
memory/1580-813-0x00007FFE67010000-0x00007FFE67AD1000-memory.dmp

Filesize
10.8MB

Download
memory/1580-810-0x000002136E430000-0x000002136E440000-memory.dmp

Filesize
64KB

Download
memory/1580-804-0x00007FFE67010000-0x00007FFE67AD1000-memory.dmp

Filesize
10.8MB

Download
memory/1880-84-0x00007FFE87210000-0x00007FFE872CE000-memory.dmp

Filesize
760KB

Download
memory/1880-401-0x00007FFE87210000-0x00007FFE872CE000-memory.dmp

Filesize
760KB

Download
memory/2384-954-0x00007FFE87210000-0x00007FFE872CE000-memory.dmp

Filesize
760KB

Download
memory/2384-969-0x000001F44FEA0000-0x000001F44FEA1000-memory.dmp

Filesize
4KB

Download
memory/2384-970-0x00007FFE87210000-0x00007FFE872CE000-memory.dmp

Filesize
760KB

Download
memory/2384-966-0x000001F44FEA0000-0x000001F44FEA1000-memory.dmp

Filesize
4KB

Download
memory/2384-967-0x000001F44FEA0000-0x000001F44FEA1000-memory.dmp

Filesize
4KB

Download
memory/2384-968-0x000001F44FEA0000-0x000001F44FEA1000-memory.dmp

Filesize
4KB

Download
memory/2384-965-0x000001F44FEA0000-0x000001F44FEA1000-memory.dmp

Filesize
4KB

Download
memory/2384-963-0x000001F44FEA0000-0x000001F44FEA1000-memory.dmp

Filesize
4KB

Download
memory/2384-957-0x000001F44FEA0000-0x000001F44FEA1000-memory.dmp

Filesize
4KB

Download
memory/2384-959-0x000001F44FEA0000-0x000001F44FEA1000-memory.dmp

Filesize
4KB

Download
memory/2384-958-0x000001F44FEA0000-0x000001F44FEA1000-memory.dmp

Filesize
4KB

Download
memory/2384-964-0x000001F44FEA0000-0x000001F44FEA1000-memory.dmp

Filesize
4KB

Download
memory/2388-402-0x00007FFE87210000-0x00007FFE872CE000-memory.dmp

Filesize
760KB

Download
memory/2388-87-0x00007FFE87210000-0x00007FFE872CE000-memory.dmp

Filesize
760KB

Download
memory/2400-17-0x00007FFE87210000-0x00007FFE872CE000-memory.dmp

Filesize
760KB

Download
memory/2400-16-0x00007FF778850000-0x00007FF778860000-memory.dmp

Filesize
64KB

Download
memory/2400-55-0x00007FFE87210000-0x00007FFE872CE000-memory.dmp

Filesize
760KB

Download
memory/2400-18-0x00007FFE47210000-0x00007FFE47220000-memory.dmp

Filesize
64KB

Download
memory/2652-790-0x00007FFE67010000-0x00007FFE67AD1000-memory.dmp

Filesize
10.8MB

Download
memory/2652-779-0x00007FFE67010000-0x00007FFE67AD1000-memory.dmp

Filesize
10.8MB

Download
memory/2652-786-0x0000019EF5540000-0x0000019EF5550000-memory.dmp

Filesize
64KB

Download
memory/2652-781-0x0000019EF5540000-0x0000019EF5550000-memory.dmp

Filesize
64KB

Download
memory/2652-787-0x0000019EF6020000-0x0000019EF6548000-memory.dmp

Filesize
5.2MB

Download
memory/2772-10-0x00007FFE6AB70000-0x00007FFE6B631000-memory.dmp

Filesize
10.8MB

Download
memory/2772-13-0x00007FFE6AB70000-0x00007FFE6B631000-memory.dmp

Filesize
10.8MB

Download
memory/2772-11-0x0000024AEED20000-0x0000024AEED30000-memory.dmp

Filesize
64KB

Download
memory/2772-6-0x0000024AF1480000-0x0000024AF14A2000-memory.dmp

Filesize
136KB

Download
memory/2952-45-0x00007FFE6AB70000-0x00007FFE6B631000-memory.dmp

Filesize
10.8MB

Download
memory/2952-28-0x00007FFE6AB70000-0x00007FFE6B631000-memory.dmp

Filesize
10.8MB

Download
memory/4580-47-0x00007FFE87210000-0x00007FFE872CE000-memory.dmp

Filesize
760KB

Download
memory/4580-46-0x00007FF635B20000-0x00007FF635B30000-memory.dmp

Filesize
64KB

Download
memory/4580-399-0x00007FFE87210000-0x00007FFE872CE000-memory.dmp

Filesize
760KB

Download
memory/4816-42-0x00007FFE6AB70000-0x00007FFE6B631000-memory.dmp

Filesize
10.8MB

Download
memory/4816-40-0x000001DCDEDD0000-0x000001DCDEF92000-memory.dmp

Filesize
1.8MB

Download
memory/4816-39-0x00007FFE6AB70000-0x00007FFE6B631000-memory.dmp

Filesize
10.8MB

Download
memory/4984-130-0x00007FFE87F10000-0x00007FFE87F11000-memory.dmp

Filesize
4KB

Download
memory/4984-131-0x00007FFE87D00000-0x00007FFE87D01000-memory.dmp

Filesize
4KB

Download
memory/5652-755-0x000002B0D3390000-0x000002B0D33A0000-memory.dmp

Filesize
64KB

Download
memory/5652-753-0x00007FFE66F60000-0x00007FFE67A21000-memory.dmp

Filesize
10.8MB

Download
memory/5652-757-0x00007FFE66F60000-0x00007FFE67A21000-memory.dmp

Filesize
10.8MB

Download