Malware Analysis Report

2024-11-30 02:40

Sample ID 240407-v8236saa7w
Target CyberLink_PowerDirector_Downloader2.exe
SHA256 fef1d8eccc7dae76fc6765dbb7d1f0bc7c18a59baccae1cf473e69cf78c7d242
Tags
spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

fef1d8eccc7dae76fc6765dbb7d1f0bc7c18a59baccae1cf473e69cf78c7d242

Threat Level: Shows suspicious behavior

The file CyberLink_PowerDirector_Downloader2.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

spyware stealer

Reads user/profile data of web browsers

Checks computer location settings

Suspicious use of SetWindowsHookEx

Modifies system certificate store

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 17:40

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 17:40

Reported

2024-04-07 17:43

Platform

win10-20240404-en

Max time kernel

132s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\CyberLink_PowerDirector_Downloader2.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3998431567-3716957556-781226098-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\CyberLink_PowerDirector_Downloader2.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\CyberLink_PowerDirector_Downloader2.exe

"C:\Users\Admin\AppData\Local\Temp\CyberLink_PowerDirector_Downloader2.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 dna.cyberlink.com udp
US 44.236.82.90:443 dna.cyberlink.com tcp
US 8.8.8.8:53 downloader.cyberlink.com udp
US 75.2.35.53:443 downloader.cyberlink.com tcp
US 8.8.8.8:53 90.82.236.44.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 53.35.2.75.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 84.65.42.20.in-addr.arpa udp

Files

memory/5048-0-0x0000000075610000-0x00000000756E0000-memory.dmp

C:\ProgramData\CyberLink\CBE\D8D760AC-ACA2-493e-9623-61E9D47DE89C\CyberLink_PowerDirector_Downloader2.exe_v2\UNO.ini

MD5 be9d6efbd8632e482c64618f00a701fa
SHA1 cc7c0702a34305282ba77d4eb88db1fa0bbed850
SHA256 d94fd0c7e43df0a03014a44d79653c0845adb29e6222ca47718c46af90847b84
SHA512 c59eee3a838ec35f447c28a701289f3f35ea5ec08d0c38df54482b39a2219598074d49fc162b1ef46d9e20c336221f53bc86de7163183193001b466ff36dd5c8

C:\Users\Admin\AppData\Local\Temp\65f1a0be-926f-4d7c-bae0-07e049aaf7f3.json

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\ProgramData\CyberLink\CBE\D8D760AC-ACA2-493e-9623-61E9D47DE89C\CyberLink_PowerDirector_Downloader2.exe_v2\36cc50f2-065f-4f2c-8b91-4f3078d1d344.json

MD5 0135e8e7c45902e3d4887986e8eec75b
SHA1 002dafb50d4832a609149996621f830bef126006
SHA256 40b88d4680225e64b7beb50729a042bffc6138cac31053edc095495198acf197
SHA512 bb717f1de943181f7ccda9e0ec58b89a2c977c677e4f0d6cb4f536d59b02c66cb2b07e199faf0382dd20c06a4d3483f5c91d1b41bdda7e5e69ccf508cf8b1035

memory/5048-71-0x0000000075610000-0x00000000756E0000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-04-07 17:40

Reported

2024-04-07 17:43

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\CyberLink_PowerDirector_Downloader2.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\CyberLink_PowerDirector_Downloader2.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\CyberLink_PowerDirector_Downloader2.exe

"C:\Users\Admin\AppData\Local\Temp\CyberLink_PowerDirector_Downloader2.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 dna.cyberlink.com udp
US 44.240.106.186:443 dna.cyberlink.com tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 downloader.cyberlink.com udp
US 99.83.161.79:443 downloader.cyberlink.com tcp
US 8.8.8.8:53 186.106.240.44.in-addr.arpa udp
US 8.8.8.8:53 79.161.83.99.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 241.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 3.17.178.52.in-addr.arpa udp

Files

C:\ProgramData\CyberLink\CBE\D8D760AC-ACA2-493e-9623-61E9D47DE89C\CyberLink_PowerDirector_Downloader2.exe_v2\UNO.ini

MD5 be9d6efbd8632e482c64618f00a701fa
SHA1 cc7c0702a34305282ba77d4eb88db1fa0bbed850
SHA256 d94fd0c7e43df0a03014a44d79653c0845adb29e6222ca47718c46af90847b84
SHA512 c59eee3a838ec35f447c28a701289f3f35ea5ec08d0c38df54482b39a2219598074d49fc162b1ef46d9e20c336221f53bc86de7163183193001b466ff36dd5c8

C:\Users\Admin\AppData\Local\Temp\6ac69de8-f794-4df3-8fd7-95eefbc6eb11.json

MD5 026e0b46d2b3c6bccd2b192e63d64717
SHA1 a53d96777630b6b231fdc8e2f2b60264a6933a29
SHA256 9eb6d82ad2f0c9971dda58eb228eee391926338b8dcb2480652b6205b99ee342
SHA512 ee27f90631b26e06942fbdc36bd0fa0f14f3f7ba1142de91567636b16efd4d4ba25e8d5c5daae9bd41eee63cd9e16ef244768a780877b45a85677f0f380e7155

C:\ProgramData\CyberLink\CBE\D8D760AC-ACA2-493e-9623-61E9D47DE89C\CyberLink_PowerDirector_Downloader2.exe_v2\c18f2704-33b5-4b5b-a399-4ebb42487d9e.json

MD5 982e2c5343d0a14cbb659e3a80dd20d6
SHA1 225fe02d63683b542a06338562d57c58ea32ae79
SHA256 db4f9d559ac0cf8580a65fb17e5399d40168be36d53e27193d11f8349a1106c3
SHA512 602ca4b018c735d5644c180eaffea1f59e582cfa1b360051d18c1acff2786f9d9157bbcd12c29cd67a622499b2b73a145de3f7ae3b7519aea754b486d8b83583

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 17:40

Reported

2024-04-07 17:43

Platform

win7-20240319-en

Max time kernel

119s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\CyberLink_PowerDirector_Downloader2.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\CyberLink_PowerDirector_Downloader2.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Users\Admin\AppData\Local\Temp\CyberLink_PowerDirector_Downloader2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Users\Admin\AppData\Local\Temp\CyberLink_PowerDirector_Downloader2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 C:\Users\Admin\AppData\Local\Temp\CyberLink_PowerDirector_Downloader2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Local\Temp\CyberLink_PowerDirector_Downloader2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Local\Temp\CyberLink_PowerDirector_Downloader2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d4304000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Local\Temp\CyberLink_PowerDirector_Downloader2.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\CyberLink_PowerDirector_Downloader2.exe

"C:\Users\Admin\AppData\Local\Temp\CyberLink_PowerDirector_Downloader2.exe"

C:\Program Files\Windows Sidebar\sidebar.exe

"C:\Program Files\Windows Sidebar\sidebar.exe" /showGadgets

Network

Country Destination Domain Proto
US 8.8.8.8:53 dna.cyberlink.com udp
US 35.84.205.252:443 dna.cyberlink.com tcp
US 8.8.8.8:53 downloader.cyberlink.com udp
US 75.2.35.53:443 downloader.cyberlink.com tcp

Files

C:\ProgramData\CyberLink\CBE\D8D760AC-ACA2-493e-9623-61E9D47DE89C\CyberLink_PowerDirector_Downloader2.exe_v2\UNO.ini

MD5 be9d6efbd8632e482c64618f00a701fa
SHA1 cc7c0702a34305282ba77d4eb88db1fa0bbed850
SHA256 d94fd0c7e43df0a03014a44d79653c0845adb29e6222ca47718c46af90847b84
SHA512 c59eee3a838ec35f447c28a701289f3f35ea5ec08d0c38df54482b39a2219598074d49fc162b1ef46d9e20c336221f53bc86de7163183193001b466ff36dd5c8

C:\Users\Admin\AppData\Local\Temp\Cab40D9.tmp

MD5 753df6889fd7410a2e9fe333da83a429
SHA1 3c425f16e8267186061dd48ac1c77c122962456e
SHA256 b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA512 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

C:\Users\Admin\AppData\Local\Temp\f601f5e0-9be0-4387-87a7-690dde0e592c.json

MD5 d4b6a75d11113570a24e0c4f030582e5
SHA1 7339279e227927f818a9b6b7e664c2379864d6dd
SHA256 3f6869dcb32d55216c07643990298cfb1dcfec22dd562685ee6f94dbe841e69c
SHA512 f1603b0adb10d993adcf6e65138e6b51c5b306223003991a029060e3120ec8f7e64182a712a998f0de60a0e9ba99a2d928b8868cc704a3d53b6caa109cda5734

C:\ProgramData\CyberLink\CBE\D8D760AC-ACA2-493e-9623-61E9D47DE89C\CyberLink_PowerDirector_Downloader2.exe_v2\cde2e3a8-c6d7-4657-9f61-2bd9dbdeb7ab.json

MD5 2eb16da7f59d18afc9bd49f20caa9e8e
SHA1 a71441e804e9f893cd504d304fba254a39d0f765
SHA256 9227f7887e7460f493d127d22f7e07a47df87efef17cf0ac3950606ecd91b660
SHA512 0df162db48759ff3437352a86ea7bab95ceaac6c0c85443e9cc968ed28c20e218f10ca46d1e9c03a09c77660cd0a9497faf624df6e599ee92d3bbedb8124f49a

C:\ProgramData\CyberLink\CBE\D8D760AC-ACA2-493e-9623-61E9D47DE89C\CyberLink_PowerDirector_Downloader2.exe_v2\f601f5e0-9be0-4387-87a7-690dde0e592c.json

MD5 b8a5148e42a52262628c64643659e16e
SHA1 ea0970c36be75b682fdf6022028468dacfb380ae
SHA256 0eb9babd7b443b7230b994b90c367e6e76d8fef0b8bb01778dd7bd7a89d66ab8
SHA512 a7e913fc0472a67753ccda6b250e02cc2ecf908552074b83ab42f4cdd65072fe502be39fb62fc21ed36da4984705fd5f724c1ad1c399f40445e701da7be3a20b