File name:

douyin-downloader-v5.4.0-win32-ia32-douyinwallpaper-wid-8TYlY5BjUjh.exe

Full analysis: https://app.any.run/tasks/447466f6-578f-4157-8749-481fc25753c5
Verdict: Malicious activity
Analysis date: February 16, 2025, 20:16:51
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
arch-exec
nodejs
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:

09CE14A5F9E281B150CC49A82F199F7A

SHA1:

BCE4478DFCBB9543C58351ECB764342216CDC7CB

SHA256:

C0C83C0A73A11E5DB757840CC313A6C7D4AA35A73F134140681883F81ACE3D91

SSDEEP:

98304:dX1w02mRLH5j2U3a+xPTAVYlakSrxV8kwkPolYKb8OBRngCw6S3D659mD/IE3Ntx:7beKa4Cr

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • douyin-downloader-v5.4.0-win32-ia32-douyinwallpaper-wid-8TYlY5BjUjh.exe (PID: 5392)

  • SUSPICIOUS

    • Malware-specific behavior (creating "System.dll" in Temp)

      • douyin-downloader-v5.4.0-win32-ia32-douyinwallpaper-wid-8TYlY5BjUjh.exe (PID: 5392)

    • The process creates files with name similar to system file names

      • douyin-downloader-v5.4.0-win32-ia32-douyinwallpaper-wid-8TYlY5BjUjh.exe (PID: 5392)

    • Process drops legitimate windows executable

      • douyin-downloader-v5.4.0-win32-ia32-douyinwallpaper-wid-8TYlY5BjUjh.exe (PID: 5392)
      • douyin_tray.exe (PID: 3760)

    • The process drops C-runtime libraries

      • douyin-downloader-v5.4.0-win32-ia32-douyinwallpaper-wid-8TYlY5BjUjh.exe (PID: 5392)

    • Executable content was dropped or overwritten

      • douyin-downloader-v5.4.0-win32-ia32-douyinwallpaper-wid-8TYlY5BjUjh.exe (PID: 5392)

    • Reads security settings of Internet Explorer

      • douyin-downloader-v5.4.0-win32-ia32-douyinwallpaper-wid-8TYlY5BjUjh.exe (PID: 5392)
      • douyin_tray.exe (PID: 3760)
      • push_detect.exe (PID: 4336)
      • push_detect.exe (PID: 6232)
      • douyin_tray.exe (PID: 3920)
      • douyin.exe (PID: 3052)

    • Creates a software uninstall entry

      • douyin-downloader-v5.4.0-win32-ia32-douyinwallpaper-wid-8TYlY5BjUjh.exe (PID: 5392)

    • Uses NETSH.EXE to add a firewall rule or allowed programs

      • douyin-downloader-v5.4.0-win32-ia32-douyinwallpaper-wid-8TYlY5BjUjh.exe (PID: 5392)

    • Searches for installed software

      • douyin-downloader-v5.4.0-win32-ia32-douyinwallpaper-wid-8TYlY5BjUjh.exe (PID: 5392)
      • douyin_tray.exe (PID: 3760)
      • douyin_launcher.exe (PID: 3820)
      • douyin.exe (PID: 3052)
      • douyin_tray.exe (PID: 3920)

    • There is functionality for taking screenshot (YARA)

      • douyin_tray.exe (PID: 3760)
      • douyin-downloader-v5.4.0-win32-ia32-douyinwallpaper-wid-8TYlY5BjUjh.exe (PID: 5392)

    • The process checks if it is being run in the virtual environment

      • douyin.exe (PID: 3052)
      • systeminfo.exe (PID: 6236)

    • Application launched itself

      • douyin.exe (PID: 3052)

    • Checks Windows Trust Settings

      • douyin.exe (PID: 3052)

  • INFO

    • The sample compiled with english language support

      • douyin-downloader-v5.4.0-win32-ia32-douyinwallpaper-wid-8TYlY5BjUjh.exe (PID: 5392)
      • douyin_tray.exe (PID: 3760)

    • Checks supported languages

      • douyin-downloader-v5.4.0-win32-ia32-douyinwallpaper-wid-8TYlY5BjUjh.exe (PID: 5392)
      • douyin.exe (PID: 3488)
      • elevation_service.exe (PID: 2216)
      • douyin_tray.exe (PID: 3760)
      • push_detect.exe (PID: 4336)
      • DynamicDependencyLifetimeManagerShadow.exe (PID: 2092)
      • DynamicDependencyLifetimeManagerShadow.exe (PID: 4420)
      • douyin_launcher.exe (PID: 3820)
      • douyin.exe (PID: 3052)
      • douyin.exe (PID: 4944)
      • douyin.exe (PID: 5404)
      • douyin.exe (PID: 3760)
      • douyin.exe (PID: 1468)
      • douyin_tray.exe (PID: 3920)
      • push_detect.exe (PID: 6232)
      • DynamicDependencyLifetimeManagerShadow.exe (PID: 6412)
      • douyin_widget.exe (PID: 6772)
      • DynamicDependencyLifetimeManagerShadow.exe (PID: 6540)
      • douyin.exe (PID: 6552)
      • systeminfo.exe (PID: 6236)
      • systeminfo.exe (PID: 7112)
      • douyin.exe (PID: 6304)
      • douyin.exe (PID: 7040)
      • douyin.exe (PID: 7048)

    • Create files in a temporary directory

      • douyin-downloader-v5.4.0-win32-ia32-douyinwallpaper-wid-8TYlY5BjUjh.exe (PID: 5392)
      • douyin_tray.exe (PID: 3760)
      • douyin.exe (PID: 3052)

    • Creates files in the program directory

      • douyin-downloader-v5.4.0-win32-ia32-douyinwallpaper-wid-8TYlY5BjUjh.exe (PID: 5392)
      • douyin.exe (PID: 3052)
      • douyin_tray.exe (PID: 3920)
      • douyin_widget.exe (PID: 6772)

    • Reads the software policy settings

      • douyin-downloader-v5.4.0-win32-ia32-douyinwallpaper-wid-8TYlY5BjUjh.exe (PID: 5392)
      • elevation_service.exe (PID: 2216)
      • douyin_tray.exe (PID: 3760)
      • douyin_launcher.exe (PID: 3820)
      • douyin.exe (PID: 3052)
      • douyin_tray.exe (PID: 3920)

    • Manual execution by a user

      • Taskmgr.exe (PID: 1448)
      • Taskmgr.exe (PID: 4544)

    • Reads the computer name

      • douyin.exe (PID: 3488)
      • elevation_service.exe (PID: 2216)
      • douyin_tray.exe (PID: 3760)
      • douyin_launcher.exe (PID: 3820)
      • douyin.exe (PID: 3052)
      • push_detect.exe (PID: 4336)
      • douyin.exe (PID: 4944)
      • douyin.exe (PID: 5404)
      • douyin.exe (PID: 3760)
      • push_detect.exe (PID: 6232)
      • douyin_tray.exe (PID: 3920)
      • douyin-downloader-v5.4.0-win32-ia32-douyinwallpaper-wid-8TYlY5BjUjh.exe (PID: 5392)
      • douyin.exe (PID: 1468)
      • douyin.exe (PID: 6552)
      • douyin_widget.exe (PID: 6772)
      • systeminfo.exe (PID: 7112)
      • douyin.exe (PID: 6304)
      • douyin.exe (PID: 7040)
      • douyin.exe (PID: 7048)
      • systeminfo.exe (PID: 6236)

    • Reads security settings of Internet Explorer

      • Taskmgr.exe (PID: 1448)

    • The sample compiled with chinese language support

      • douyin-downloader-v5.4.0-win32-ia32-douyinwallpaper-wid-8TYlY5BjUjh.exe (PID: 5392)
      • douyin_tray.exe (PID: 3760)

    • Process checks computer location settings

      • douyin-downloader-v5.4.0-win32-ia32-douyinwallpaper-wid-8TYlY5BjUjh.exe (PID: 5392)
      • push_detect.exe (PID: 4336)
      • douyin_tray.exe (PID: 3760)
      • douyin.exe (PID: 3052)
      • douyin.exe (PID: 3760)
      • push_detect.exe (PID: 6232)
      • douyin.exe (PID: 1468)
      • douyin_tray.exe (PID: 3920)
      • douyin_widget.exe (PID: 6772)
      • douyin.exe (PID: 6552)

    • Reads the machine GUID from the registry

      • douyin-downloader-v5.4.0-win32-ia32-douyinwallpaper-wid-8TYlY5BjUjh.exe (PID: 5392)
      • douyin_tray.exe (PID: 3760)
      • douyin.exe (PID: 3052)
      • douyin_tray.exe (PID: 3920)
      • douyin_widget.exe (PID: 6772)

    • Creates files or folders in the user directory

      • douyin_tray.exe (PID: 3760)
      • douyin.exe (PID: 3488)
      • douyin.exe (PID: 3052)
      • douyin.exe (PID: 5404)
      • douyin_tray.exe (PID: 3920)
      • douyin-downloader-v5.4.0-win32-ia32-douyinwallpaper-wid-8TYlY5BjUjh.exe (PID: 5392)
      • douyin_widget.exe (PID: 6772)
      • douyin.exe (PID: 6304)

    • The sample compiled with korean language support

      • douyin_tray.exe (PID: 3760)

    • The sample compiled with japanese language support

      • douyin_tray.exe (PID: 3760)

    • The sample compiled with czech language support

      • douyin_tray.exe (PID: 3760)

    • The sample compiled with french language support

      • douyin_tray.exe (PID: 3760)

    • The sample compiled with arabic language support

      • douyin_tray.exe (PID: 3760)

    • The sample compiled with turkish language support

      • douyin_tray.exe (PID: 3760)

    • The sample compiled with Indonesian language support

      • douyin_tray.exe (PID: 3760)

    • The sample compiled with swedish language support

      • douyin_tray.exe (PID: 3760)

    • Checks proxy server information

      • douyin_tray.exe (PID: 3760)
      • douyin.exe (PID: 3052)
      • douyin_tray.exe (PID: 3920)
      • douyin_widget.exe (PID: 6772)

    • Reads CPU info

      • douyin.exe (PID: 3052)
      • douyin_widget.exe (PID: 6772)
      • systeminfo.exe (PID: 6236)

    • Node.js compiler has been detected

      • douyin.exe (PID: 3052)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2018:12:15 22:26:14+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 26624
InitializedDataSize: 473088
UninitializedDataSize: 16384
EntryPoint: 0x338f
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 5.4.0.21433
ProductVersionNumber: 5.4.0.21433
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: Beijing Microlive Vision Technology Co., Ltd.
FileDescription: 【抖音】记录美好生活
FileVersion: 5.4.0.21433
LegalCopyright: Copyright © 2025 Beijing Microlive Vision Technology Co., Ltd.
ProductName: douyin
ProductVersion: 5.4.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
169
Monitored processes
39
Malicious processes
6
Suspicious processes
0

Behavior graph

Click at the process to see the details
start douyin-downloader-v5.4.0-win32-ia32-douyinwallpaper-wid-8tyly5bjujh.exe taskmgr.exe no specs taskmgr.exe douyin.exe no specs elevation_service.exe netsh.exe no specs conhost.exe no specs netsh.exe no specs conhost.exe no specs netsh.exe no specs conhost.exe no specs netsh.exe no specs conhost.exe no specs douyin_tray.exe push_detect.exe no specs conhost.exe no specs dynamicdependencylifetimemanagershadow.exe no specs dynamicdependencylifetimemanagershadow.exe no specs rundll32.exe no specs douyin_launcher.exe douyin.exe douyin.exe no specs douyin.exe douyin_tray.exe douyin.exe no specs douyin.exe no specs push_detect.exe no specs conhost.exe no specs dynamicdependencylifetimemanagershadow.exe no specs dynamicdependencylifetimemanagershadow.exe no specs douyin.exe no specs douyin_widget.exe douyin.exe no specs douyin.exe no specs systeminfo.exe no specs systeminfo.exe no specs douyin.exe no specs douyin.exe no specs douyin-downloader-v5.4.0-win32-ia32-douyinwallpaper-wid-8tyly5bjujh.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
444"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="douyin" dir=in action=allow protocol=UDP program="C:\Program Files\ByteDance\douyin\5.4.0\douyin.exe"C:\Windows\SysWOW64\netsh.exedouyin-downloader-v5.4.0-win32-ia32-douyinwallpaper-wid-8TYlY5BjUjh.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1016\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exenetsh.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1296\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exenetsh.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1448"C:\WINDOWS\system32\taskmgr.exe" /4C:\Windows\System32\Taskmgr.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Manager
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\taskmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1460"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="douyin_launcher" dir=in action=allow protocol=TCP program="C:\Program Files\ByteDance\douyin\douyin_launcher.exe"C:\Windows\SysWOW64\netsh.exedouyin-downloader-v5.4.0-win32-ia32-douyinwallpaper-wid-8TYlY5BjUjh.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1468"C:\Program Files\ByteDance\douyin\5.4.0\douyin.exe" --type=renderer --user-data-dir="C:\Users\admin\AppData\Roaming\douyin" --app-path="C:\Program Files\ByteDance\douyin\5.4.0\resources\app.asar" --no-sandbox --no-zygote --no-sandbox --enable-blink-features=DocumentPictureInPictureAPI --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=4784 --field-trial-handle=3368,i,7228971252101608220,13054104561112137291,131072 --enable-features=Mixrender --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --window-name=MAIN_WINDOW --v8_max_old_space_size_mb=2000 --isOpenContextIsolation=close --getAppUserDataPath="C:\Users\admin\AppData\Roaming\douyin" --global-props="{\"appLang\":\"\",\"appName\":\"douyin\",\"appTheme\":\"light\",\"appVersion\":\"5.4.0\",\"bottomHeight\":0,\"bulletVersion\":\"0.0.0-beta-20241204031351\",\"is32\":0,\"isAccessable\":0,\"isFoldableDevice\":0,\"isIphoneX\":0,\"isLandScape\":0,\"isPad\":0,\"lang\":\"\",\"os\":\"Windows\",\"osVersion\":\"10.0.19045\",\"region\":\"US\",\"lynx_version\":\"2.12.0\",\"lynxSdkVersion\":\"2.12.0\",\"contentWidth\":800,\"contentHeight\":600,\"screenWidth\":800,\"screenHeight\":600,\"safeArea\":{\"marginTop\":0,\"marginBottom\":0,\"marginLeft\":0,\"marginRight\":0},\"topHeight\":0,\"originUrl\":\"sslocal://webview?url=about%3Ablank&options=%7B%22webPreferences%22%3A%7B%22webviewTag%22%3Atrue%2C%22devTools%22%3Atrue%2C%22sandbox%22%3Afalse%2C%22preload%22%3A%22C%3A%5C%5CProgram%20Files%5C%5CByteDance%5C%5Cdouyin%5C%5C5.4.0%5C%5Cresources%5C%5Capp.asar.unpacked%5C%5Cpreload.js%22%2C%22additionalArguments%22%3A%5B%22--window-name%3DMAIN_WINDOW%22%2C%22--v8_max_old_space_size_mb%3D2000%22%2C%22--isOpenContextIsolation%3Dclose%22%2C%22--getAppUserDataPath%3DC%3A%5C%5CUsers%5C%5Cadmin%5C%5CAppData%5C%5CRoaming%5C%5Cdouyin%22%5D%7D%2C%22containerId%22%3A%22b3849e08-d18a-42a3-86aa-02bbe58d06dc%22%7D&containerId=b3849e08-d18a-42a3-86aa-02bbe58d06dc\",\"queryItems\":{\"url\":\"about:blank\",\"options\":\"{\\\"webPreferences\\\":{\\\"webviewTag\\\":true,\\\"devTools\\\":true,\\\"sandbox\\\":false,\\\"preload\\\":\\\"C:\\\\Program Files\\\\ByteDance\\\\douyin\\\\5.4.0\\\\resources\\\\app.asar.unpacked\\\\preload.js\\\",\\\"additionalArguments\\\":[\\\"--window-name=MAIN_WINDOW\\\",\\\"--v8_max_old_space_size_mb=2000\\\",\\\"--isOpenContextIsolation=close\\\",\\\"--getAppUserDataPath=C:\\\\Users\\\\admin\\\\AppData\\\\Roaming\\\\douyin\\\"]},\\\"containerId\\\":\\\"b3849e08-d18a-42a3-86aa-02bbe58d06dc\\\"}\",\"containerId\":\"b3849e08-d18a-42a3-86aa-02bbe58d06dc\"},\"resolvedUrl\":\"about:blank\",\"bulletStorageValues\":{},\"userDomainStorageValues\":{},\"channel\":\"unknown\",\"deviceId\":\"943731192\",\"isLogin\":0,\"foo\":\"bar\"}" --container-id=cb653a55-db35-44ec-ae30-1143ce75fb3a --window-name=MAIN_WINDOW --v8_max_old_space_size_mb=2000 /prefetch:1C:\Program Files\ByteDance\douyin\5.4.0\douyin.exedouyin.exe
User:
admin
Company:
Beijing Microlive Vision Technology Co., Ltd.
Integrity Level:
HIGH
Description:
douyin
Version:
5.4.0.21433
Modules
Images
c:\program files\bytedance\douyin\5.4.0\douyin.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
1576\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exenetsh.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2092"C:\Program Files\WindowsApps\Microsoft.WinAppRuntime.DDLM.4000.1049.117.0-x8_4000.1049.117.0_x86__8wekyb3d8bbwe\DynamicDependencyLifetimeManagerShadow.exe" 4336;Microsoft.WinAppRuntime.DDLM.4000.1049.117.0-x8_4000.1049.117.0_x86__8wekyb3d8bbwe;{43900938-d97f-4c9f-bdb8-ca864678a4d7} C:\Program Files\WindowsApps\Microsoft.WinAppRuntime.DDLM.4000.1049.117.0-x8_4000.1049.117.0_x86__8wekyb3d8bbwe\DynamicDependencyLifetimeManagerShadow.exepush_detect.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
DynamicDependencyLifetimeManagerShadow.exe
Exit code:
0
Version:
1.4
Modules
Images
c:\program files\windowsapps\microsoft.winappruntime.ddlm.4000.1049.117.0-x8_4000.1049.117.0_x86__8wekyb3d8bbwe\dynamicdependencylifetimemanagershadow.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\shell32.dll
c:\windows\syswow64\msvcp_win.dll
2216"C:\Program Files\ByteDance\douyin\5.4.0\elevation_service.exe" --installC:\Program Files\ByteDance\douyin\5.4.0\elevation_service.exe
douyin-downloader-v5.4.0-win32-ia32-douyinwallpaper-wid-8TYlY5BjUjh.exe
User:
admin
Company:
The Chromium Authors
Integrity Level:
HIGH
Description:
Chromium
Exit code:
0
Version:
108.0.5359.215
Modules
Images
c:\program files\bytedance\douyin\5.4.0\elevation_service.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\imm32.dll
2996"C:\Users\admin\AppData\Local\Temp\douyin-downloader-v5.4.0-win32-ia32-douyinwallpaper-wid-8TYlY5BjUjh.exe" C:\Users\admin\AppData\Local\Temp\douyin-downloader-v5.4.0-win32-ia32-douyinwallpaper-wid-8TYlY5BjUjh.exeexplorer.exe
User:
admin
Company:
Beijing Microlive Vision Technology Co., Ltd.
Integrity Level:
MEDIUM
Description:
【抖音】记录美好生活
Exit code:
3221226540
Version:
5.4.0.21433
Modules
Images
c:\users\admin\appdata\local\temp\douyin-downloader-v5.4.0-win32-ia32-douyinwallpaper-wid-8tyly5bjujh.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
Total events
30 359
Read events
30 307
Write events
29
Delete events
23

Modification events

(PID) Process:(5392) douyin-downloader-v5.4.0-win32-ia32-douyinwallpaper-wid-8TYlY5BjUjh.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\ByteDance\douyin
Operation:writeName:InstallPersetDir
Value:
C:\Program Files\ByteDance\douyin
(PID) Process:(5392) douyin-downloader-v5.4.0-win32-ia32-douyinwallpaper-wid-8TYlY5BjUjh.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\ByteDance\douyin
Operation:writeName:PersetAutoStart
Value:
1
(PID) Process:(5392) douyin-downloader-v5.4.0-win32-ia32-douyinwallpaper-wid-8TYlY5BjUjh.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\ByteDance\douyin
Operation:writeName:PersetShortcut
Value:
1
(PID) Process:(5392) douyin-downloader-v5.4.0-win32-ia32-douyinwallpaper-wid-8TYlY5BjUjh.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\ByteDance\douyin
Operation:writeName:PersetChannelID
Value:
20003
(PID) Process:(1448) Taskmgr.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\TaskManager
Operation:delete valueName:Preferences
Value:
(PID) Process:(1448) Taskmgr.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\TaskManager
Operation:writeName:Preferences
Value:
0D00000060000000600000006800000068000000E3010000DC010000000001000000008000000080D8010080DF010080000100016B00000034000000130300008C020000E80300000000000000000000000000000F000000010000000000000058AA6C15F77F00000000000000000000000000002E0100001E0000008990000000000000FF00000001015002000000000D0000000000000098AA6C15F77F00000000000000000000FFFFFFFF960000001E0000008B900000010000000000000000101001000000000300000000000000B0AA6C15F77F00000000000000000000FFFFFFFF780000001E0000008C900000020000000000000001021200000000000400000000000000C8AA6C15F77F00000000000000000000FFFFFFFF960000001E0000008D900000030000000000000000011001000000000200000000000000E8AA6C15F77F00000000000000000000FFFFFFFF320000001E0000008A90000004000000000000000008200100000000050000000000000000AB6C15F77F00000000000000000000FFFFFFFFC80000001E0000008E90000005000000000000000001100100000000060000000000000028AB6C15F77F00000000000000000000FFFFFFFF040100001E0000008F90000006000000000000000001100100000000070000000000000050AB6C15F77F00000000000000000000FFFFFFFF49000000490000009090000007000000000000000004250000000000080000000000000080AA6C15F77F00000000000000000000FFFFFFFF49000000490000009190000008000000000000000004250000000000090000000000000070AB6C15F77F00000000000000000000FFFFFFFF490000004900000092900000090000000000000000042508000000000A0000000000000088AB6C15F77F00000000000000000000FFFFFFFF4900000049000000939000000A0000000000000000042508000000000B00000000000000A8AB6C15F77F00000000000000000000FFFFFFFF490000004900000039A000000B0000000000000000042509000000001C00000000000000C8AB6C15F77F00000000000000000000FFFFFFFFC8000000490000003AA000000C0000000000000000011009000000001D00000000000000F0AB6C15F77F00000000000000000000FFFFFFFF64000000490000004CA000000D0000000000000000021508000000001E0000000000000010AC6C15F77F00000000000000000000FFFFFFFF64000000490000004DA000000E000000000000000002150800000000030000000A000000010000000000000058AA6C15F77F0000000000000000000000000000D70000001E0000008990000000000000FF00000001015002000000000400000000000000C8AA6C15F77F0000000000000000000001000000960000001E0000008D900000010000000000000001011000000000000300000000000000B0AA6C15F77F00000000000000000000FFFFFFFF640000001E0000008C900000020000000000000000021000000000000C0000000000000040AC6C15F77F0000000000000000000003000000640000001E00000094900000030000000000000001021000000000000D0000000000000068AC6C15F77F00000000000000000000FFFFFFFF640000001E00000095900000040000000000000000011001000000000E0000000000000090AC6C15F77F0000000000000000000005000000320000001E00000096900000050000000000000001042001000000000F00000000000000B8AC6C15F77F0000000000000000000006000000320000001E00000097900000060000000000000001042001000000001000000000000000D8AC6C15F77F0000000000000000000007000000460000001E00000098900000070000000000000001011001000000001100000000000000F8AC6C15F77F00000000000000000000FFFFFFFF640000001E0000009990000008000000000000000001100100000000060000000000000028AB6C15F77F0000000000000000000009000000040100001E0000008F9000000900000000000000010110010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000040000000B000000010000000000000058AA6C15F77F0000000000000000000000000000D70000001E0000009E90000000000000FF0000000101500200000000120000000000000020AD6C15F77F00000000000000000000FFFFFFFF2D0000001E0000009B90000001000000000000000004200100000000140000000000000040AD6C15F77F00000000000000000000FFFFFFFF640000001E0000009D90000002000000000000000001100100000000130000000000000068AD6C15F77F00000000000000000000FFFFFFFF640000001E0000009C900000030000000000000000011001000000000300000000000000B0AA6C15F77F00000000000000000000FFFFFFFF640000001E0000008C90000004000000000000000102100000000000070000000000000050AB6C15F77F000000000000000000000500000049000000490000009090000005000000000000000104210000000000080000000000000080AA6C15F77F000000000000000000000600000049000000490000009190000006000000000000000104210000000000090000000000000070AB6C15F77F0000000000000000000007000000490000004900000092900000070000000000000001042108000000000A0000000000000088AB6C15F77F0000000000000000000008000000490000004900000093900000080000000000000001042108000000000B00000000000000A8AB6C15F77F0000000000000000000009000000490000004900000039A00000090000000000000001042109000000001C00000000000000C8AB6C15F77F000000000000000000000A00000064000000490000003AA000000A00000000000000000110090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000200000008000000010000000000000058AA6C15F77F0000000000000000000000000000C60000001E000000B090000000000000FF0000000101500200000000150000000000000088AD6C15F77F00000000000000000000FFFFFFFF6B0000001E000000B1900000010000000000000000042500000000001600000000000000B8AD6C15F77F00000000000000000000FFFFFFFF6B0000001E000000B2900000020000000000000000042500000000001800000000000000E0AD6C15F77F00000000000000000000FFFFFFFF6B0000001E000000B490000003000000000000000004250000000000170000000000000008AE6C15F77F00000000000000000000FFFFFFFF6B0000001E000000B390000004000000000000000004250000000000190000000000000040AE6C15F77F00000000000000000000FFFFFFFFA00000001E000000B5900000050000000000000000042001000000001A0000000000000070AE6C15F77F00000000000000000000FFFFFFFF7D0000001E000000B6900000060000000000000000042001000000001B00000000000000A0AE6C15F77F00000000000000000000FFFFFFFF7D0000001E000000B790000007000000000000000004200100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000DA00000000000000000000000000000000000000000000009D200000200000009100000064000000320000006400000050000000320000003200000028000000500000003C0000005000000050000000320000005000000050000000500000005000000050000000500000002800000050000000230000002300000023000000230000005000000050000000500000003200000032000000320000007800000078000000500000003C00000050000000500000009700000032000000780000003200000050000000500000005000000050000000000000000100000002000000030000000400000005000000060000000700000008000000090000000A0000000B0000000C0000000D0000000E0000000F000000100000001100000012000000130000001400000015000000160000001700000018000000190000001A0000001B0000001C0000001D0000001E0000001F000000200000002100000022000000230000002400000025000000260000002700000028000000290000002A0000002B0000002C00000000000000000000001F00000000000000B400000032000000D8000000640000006400000000000000000000000000000000000000000000000000000000000000000000000000000000000000DA000000000000000000000000000000000000009D200000200000009100000064000000320000009700000050000000320000003200000028000000500000003C000000500000005000000032000000500000005000000050000000500000005000000050000000500000002800000050000000230000002300000023000000230000005000000050000000500000003200000032000000320000007800000078000000500000003C0000005000000064000000780000003200000078000000780000003200000050000000500000005000000050000000C8000000000000000100000002000000030000000400000005000000060000000700000008000000090000000A0000000B0000000C0000000D0000000E0000000F000000100000001100000012000000130000001400000015000000160000001700000018000000190000001A0000001B0000001C0000001D0000001E0000001F000000200000002100000022000000230000002400000025000000260000002700000028000000290000002A0000002B0000002C0000002D0000002E0000002F00000000000000000000001F00000000000000B400000032000000D8000000640000006400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000002000000030000000400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000000000000000000
(PID) Process:(1448) Taskmgr.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\TaskManager
Operation:writeName:Preferences
Value:
0D00000060000000600000006800000068000000E3010000DC010000000001000000008000000080D8010080DF010080000100016B00000034000000130300008C020000E80300000000000000000000000000000F000000010000000000000058AA6C15F77F00000000000000000000000000002E0100001E0000008990000000000000FF00000001015002000000000D0000000000000098AA6C15F77F00000000000000000000FFFFFFFF960000001E0000008B900000010000000000000000101001000000000300000000000000B0AA6C15F77F00000000000000000000FFFFFFFF780000001E0000008C900000020000000000000001021200000000000400000000000000C8AA6C15F77F00000000000000000000FFFFFFFF960000001E0000008D900000030000000000000000011001000000000200000000000000E8AA6C15F77F00000000000000000000FFFFFFFF320000001E0000008A90000004000000000000000008200100000000050000000000000000AB6C15F77F00000000000000000000FFFFFFFFC80000001E0000008E90000005000000000000000001100100000000060000000000000028AB6C15F77F00000000000000000000FFFFFFFF040100001E0000008F90000006000000000000000001100100000000070000000000000050AB6C15F77F00000000000000000000FFFFFFFF49000000490000009090000007000000000000000004250000000000080000000000000080AA6C15F77F00000000000000000000FFFFFFFF49000000490000009190000008000000000000000004250000000000090000000000000070AB6C15F77F00000000000000000000FFFFFFFF490000004900000092900000090000000000000000042508000000000A0000000000000088AB6C15F77F00000000000000000000FFFFFFFF4900000049000000939000000A0000000000000000042508000000000B00000000000000A8AB6C15F77F00000000000000000000FFFFFFFF490000004900000039A000000B0000000000000000042509000000001C00000000000000C8AB6C15F77F00000000000000000000FFFFFFFFC8000000490000003AA000000C0000000000000000011009000000001D00000000000000F0AB6C15F77F00000000000000000000FFFFFFFF64000000490000004CA000000D0000000000000000021508000000001E0000000000000010AC6C15F77F00000000000000000000FFFFFFFF64000000490000004DA000000E000000000000000002150800000000030000000A000000010000000000000058AA6C15F77F0000000000000000000000000000D70000001E0000008990000000000000FF00000001015002000000000400000000000000C8AA6C15F77F0000000000000000000001000000960000001E0000008D900000010000000000000001011000000000000300000000000000B0AA6C15F77F00000000000000000000FFFFFFFF640000001E0000008C900000020000000000000000021000000000000C0000000000000040AC6C15F77F0000000000000000000003000000640000001E00000094900000030000000000000001021000000000000D0000000000000068AC6C15F77F00000000000000000000FFFFFFFF640000001E00000095900000040000000000000000011001000000000E0000000000000090AC6C15F77F0000000000000000000005000000320000001E00000096900000050000000000000001042001000000000F00000000000000B8AC6C15F77F0000000000000000000006000000320000001E00000097900000060000000000000001042001000000001000000000000000D8AC6C15F77F0000000000000000000007000000460000001E00000098900000070000000000000001011001000000001100000000000000F8AC6C15F77F00000000000000000000FFFFFFFF640000001E0000009990000008000000000000000001100100000000060000000000000028AB6C15F77F0000000000000000000009000000040100001E0000008F9000000900000000000000010110010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000040000000B000000010000000000000058AA6C15F77F0000000000000000000000000000D70000001E0000009E90000000000000FF0000000101500200000000120000000000000020AD6C15F77F00000000000000000000FFFFFFFF2D0000001E0000009B90000001000000000000000004200100000000140000000000000040AD6C15F77F00000000000000000000FFFFFFFF640000001E0000009D90000002000000000000000001100100000000130000000000000068AD6C15F77F00000000000000000000FFFFFFFF640000001E0000009C900000030000000000000000011001000000000300000000000000B0AA6C15F77F00000000000000000000FFFFFFFF640000001E0000008C90000004000000000000000102100000000000070000000000000050AB6C15F77F000000000000000000000500000049000000490000009090000005000000000000000104210000000000080000000000000080AA6C15F77F000000000000000000000600000049000000490000009190000006000000000000000104210000000000090000000000000070AB6C15F77F0000000000000000000007000000490000004900000092900000070000000000000001042108000000000A0000000000000088AB6C15F77F0000000000000000000008000000490000004900000093900000080000000000000001042108000000000B00000000000000A8AB6C15F77F0000000000000000000009000000490000004900000039A00000090000000000000001042109000000001C00000000000000C8AB6C15F77F000000000000000000000A00000064000000490000003AA000000A00000000000000000110090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000200000008000000010000000000000058AA6C15F77F0000000000000000000000000000C60000001E000000B090000000000000FF0000000101500200000000150000000000000088AD6C15F77F00000000000000000000FFFFFFFF6B0000001E000000B1900000010000000000000000042500000000001600000000000000B8AD6C15F77F00000000000000000000FFFFFFFF6B0000001E000000B2900000020000000000000000042500000000001800000000000000E0AD6C15F77F00000000000000000000FFFFFFFF6B0000001E000000B490000003000000000000000004250000000000170000000000000008AE6C15F77F00000000000000000000FFFFFFFF6B0000001E000000B390000004000000000000000004250000000000190000000000000040AE6C15F77F00000000000000000000FFFFFFFFA00000001E000000B5900000050000000000000000042001000000001A0000000000000070AE6C15F77F00000000000000000000FFFFFFFF7D0000001E000000B6900000060000000000000000042001000000001B00000000000000A0AE6C15F77F00000000000000000000FFFFFFFF7D0000001E000000B79000000700000000000000000420010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000010000000000000000005C003F005C0049004400450023004400690073006B005700440043005F00570044003200300045004100520053005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F0032002E0035002B005F005F005F005F002300350026003200370037003000610037006100660026003000260030002E0030002E00300023007B00350033006600350036003300300037002D0062003600620066002D0031003100640030002D0039003400660032002D003000300061003000630039003100650066006200380062007D00000000003200000050000000500000005000000050000000000000000100000002000000030000000400000005000000060000000700000008000000090000000A0000000B0000000C0000000D0000000E0000000F000000100000001100000012000000130000001400000015000000160000001700000018000000190000001A0000001B0000001C0000001D0000001E0000001F000000200000002100000022000000230000002400000025000000260000002700000028000000290000002A0000002B0000002C00000000000000000000001F00000000000000B400000032000000D8000000640000006400000000000000000000000000000000000000000000000000000000000000000000000000000000000000DA000000000000000000000000000000000000009D200000200000009100000064000000320000009700000050000000320000003200000028000000500000003C000000500000005000000032000000500000005000000050000000500000005000000050000000500000002800000050000000230000002300000023000000230000005000000050000000500000003200000032000000320000007800000078000000500000003C0000005000000064000000780000003200000078000000780000003200000050000000500000005000000050000000C8000000000000000100000002000000030000000400000005000000060000000700000008000000090000000A0000000B0000000C0000000D0000000E0000000F000000100000001100000012000000130000001400000015000000160000001700000018000000190000001A0000001B0000001C0000001D0000001E0000001F000000200000002100000022000000230000002400000025000000260000002700000028000000290000002A0000002B0000002C0000002D0000002E0000002F00000000000000000000001F00000000000000B400000032000000D8000000640000006400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000002000000030000000400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000000000000000000
(PID) Process:(5392) douyin-downloader-v5.4.0-win32-ia32-douyinwallpaper-wid-8TYlY5BjUjh.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\douyin
Operation:writeName:DisplayName
Value:
抖音
(PID) Process:(5392) douyin-downloader-v5.4.0-win32-ia32-douyinwallpaper-wid-8TYlY5BjUjh.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\douyin
Operation:writeName:UninstallString
Value:
"C:\Program Files\ByteDance\douyin\uninst.exe"
(PID) Process:(5392) douyin-downloader-v5.4.0-win32-ia32-douyinwallpaper-wid-8TYlY5BjUjh.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\douyin
Operation:writeName:DisplayIcon
Value:
C:\Program Files\ByteDance\douyin\5.4.0\douyin.exe
Executable files
148
Suspicious files
519
Text files
219
Unknown types
1

Dropped files

PID
Process
Filename
Type
5392douyin-downloader-v5.4.0-win32-ia32-douyinwallpaper-wid-8TYlY5BjUjh.exeC:\Users\admin\AppData\Local\app_shell_cache_6383\app_package_3db943058f-wid-8TYlY5BjUjh.exe
MD5:
SHA256:
5392douyin-downloader-v5.4.0-win32-ia32-douyinwallpaper-wid-8TYlY5BjUjh.exeC:\Users\admin\AppData\Local\app_shell_cache_6383\app.7z
MD5:
SHA256:
5392douyin-downloader-v5.4.0-win32-ia32-douyinwallpaper-wid-8TYlY5BjUjh.exeC:\Users\admin\AppData\Local\Temp\nsh82E0.tmp\shell_downloader.dllexecutable
MD5:1AAC063181506DFCC5F0F53478A91A29
SHA256:58EAF7B63BD7F7D13F248D099554CCE5FAD1641FB63CDDF78CA6D11F0603EBE8
5392douyin-downloader-v5.4.0-win32-ia32-douyinwallpaper-wid-8TYlY5BjUjh.exeC:\Users\admin\AppData\Local\Temp\nsh82E0.tmp\BgWorker.dllexecutable
MD5:260AD7D774621ACC0C3B0380183A45C6
SHA256:DC5E310EAD06466DDB9320B06DAFF9EBBAD22124798F09D325B581467BD59C08
5392douyin-downloader-v5.4.0-win32-ia32-douyinwallpaper-wid-8TYlY5BjUjh.exeC:\Users\admin\AppData\Local\Temp\nsh82E0.tmp\ThreadTimer.dllexecutable
MD5:6F387F129271FC0698B0886E9967D527
SHA256:636818F1B2071855DF87D5068F989EECD744E3476D89703478ED6718B0B84245
5392douyin-downloader-v5.4.0-win32-ia32-douyinwallpaper-wid-8TYlY5BjUjh.exeC:\Users\admin\AppData\Local\Temp\nsh82E0.tmp\nsProcess.dllexecutable
MD5:C30C6C6C5CC5585C5D7DB7B01166BF8A
SHA256:40D421FD294777233C7207D9C67DFCE3E324145F495DA36302A7ABEDBAC2810F
1448Taskmgr.exeC:\Users\admin\AppData\Local\D3DSCache\3534848bb9f4cb71\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.locktext
MD5:F49655F856ACB8884CC0ACE29216F511
SHA256:7852FCE59C67DDF1D6B8B997EAA1ADFAC004A9F3A91C37295DE9223674011FBA
5392douyin-downloader-v5.4.0-win32-ia32-douyinwallpaper-wid-8TYlY5BjUjh.exeC:\Users\admin\AppData\Local\Temp\nsh82E0.tmp\res.zipcompressed
MD5:37F55287D57F28668FA7676A717F937E
SHA256:C3BB301DA18E9C75397631A8EC505907242F039B338391F9F58A18765AD8D1F8
5392douyin-downloader-v5.4.0-win32-ia32-douyinwallpaper-wid-8TYlY5BjUjh.exeC:\Users\admin\AppData\Local\Temp\nsh82E0.tmp\nsis7z.dllexecutable
MD5:26B3F79D40C2CF8CA439E077AB7A3B7B
SHA256:AB9D1252F6CE706CAEDF8F886666AA86A64A3BAF8289171BBC347F0A4FEFF1B5
5392douyin-downloader-v5.4.0-win32-ia32-douyinwallpaper-wid-8TYlY5BjUjh.exeC:\Users\admin\AppData\Local\app_shell_cache_6383\$PLUGINSDIR\BgWorker.dllexecutable
MD5:260AD7D774621ACC0C3B0380183A45C6
SHA256:DC5E310EAD06466DDB9320B06DAFF9EBBAD22124798F09D325B581467BD59C08
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
183
DNS requests
88
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4500
svchost.exe
GET
200
23.48.23.194:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4500
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5064
SearchApp.exe
GET
200
23.54.109.203:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
5460
backgroundTaskHost.exe
GET
200
23.54.109.203:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
3060
SIHClient.exe
GET
200
2.20.102.93:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
1176
svchost.exe
GET
200
23.54.109.203:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
3060
SIHClient.exe
GET
200
2.20.102.93:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
5356
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl
unknown
whitelisted
5064
SearchApp.exe
GET
200
23.54.109.203:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA77flR%2B3w%2FxBpruV2lte6A%3D
unknown
whitelisted
6100
SystemSettings.exe
GET
200
23.54.109.203:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4712
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4500
svchost.exe
23.48.23.194:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4500
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4500
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5392
douyin-downloader-v5.4.0-win32-ia32-douyinwallpaper-wid-8TYlY5BjUjh.exe
112.90.95.59:443
mcs.zijieapi.com
China Unicom Guangdong IP network
CN
unknown
4
System
192.168.100.255:138
whitelisted
5392
douyin-downloader-v5.4.0-win32-ia32-douyinwallpaper-wid-8TYlY5BjUjh.exe
163.181.92.231:443
mcs.zijieapi.com
Zhejiang Taobao Network Co.,Ltd
DE
whitelisted
5392
douyin-downloader-v5.4.0-win32-ia32-douyinwallpaper-wid-8TYlY5BjUjh.exe
163.181.131.216:443
lf-douyin-pc-web.douyinstatic.com
US
unknown
4
System
192.168.100.255:137
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
google.com
  • 142.250.184.238
whitelisted
crl.microsoft.com
  • 23.48.23.194
  • 23.48.23.164
  • 23.48.23.193
  • 23.48.23.176
  • 23.48.23.177
  • 23.48.23.156
  • 23.48.23.147
  • 23.48.23.169
  • 23.48.23.167
whitelisted
www.microsoft.com
  • 184.30.21.171
  • 2.20.102.93
whitelisted
mcs.zijieapi.com
  • 112.90.95.59
  • 112.90.95.62
  • 123.6.63.50
  • 123.6.63.52
  • 221.194.141.158
  • 221.194.141.161
  • 163.181.92.229
  • 163.181.92.233
  • 163.181.92.234
  • 163.181.92.228
  • 163.181.92.230
  • 163.181.92.235
  • 163.181.92.231
  • 163.181.92.232
unknown
api.toutiaoapi.com
  • 163.181.92.231
  • 163.181.92.232
  • 163.181.92.233
  • 163.181.92.234
  • 163.181.92.235
  • 163.181.92.228
  • 163.181.92.229
  • 163.181.92.230
unknown
lf-douyin-pc-web.douyinstatic.com
  • 163.181.131.216
  • 163.181.131.217
  • 163.181.131.208
  • 163.181.131.209
  • 163.181.131.210
  • 163.181.131.211
  • 163.181.131.212
  • 163.181.131.215
  • 47.246.46.228
  • 47.246.46.229
  • 47.246.46.230
  • 47.246.46.231
  • 47.246.46.232
  • 47.246.46.225
  • 47.246.46.226
  • 47.246.46.227
unknown
www.bing.com
  • 95.101.38.171
  • 95.101.38.162
  • 95.101.38.161
  • 95.101.38.174
  • 95.101.38.166
  • 95.101.38.163
  • 95.101.38.164
  • 95.101.38.168
  • 95.101.38.158
  • 92.123.104.34
  • 92.123.104.62
  • 92.123.104.38
  • 92.123.104.32
whitelisted
ocsp.digicert.com
  • 23.54.109.203
whitelisted
login.live.com
  • 40.126.32.140
  • 40.126.32.68
  • 20.190.160.130
  • 40.126.32.134
  • 20.190.160.14
  • 40.126.32.133
  • 40.126.32.138
  • 20.190.160.4
  • 20.190.159.0
  • 20.190.159.23
  • 20.190.159.130
  • 40.126.31.67
  • 20.190.159.131
  • 40.126.31.73
  • 40.126.31.2
  • 20.190.159.128
whitelisted

Threats

No threats detected
Process
Message
douyin-downloader-v5.4.0-win32-ia32-douyinwallpaper-wid-8TYlY5BjUjh.exe
checkBoxDesktopShortcut status:1
douyin-downloader-v5.4.0-win32-ia32-douyinwallpaper-wid-8TYlY5BjUjh.exe
chkAgree status:1
douyin-downloader-v5.4.0-win32-ia32-douyinwallpaper-wid-8TYlY5BjUjh.exe
checkBoxAutoStart status:1
douyin-downloader-v5.4.0-win32-ia32-douyinwallpaper-wid-8TYlY5BjUjh.exe
exec
douyin-downloader-v5.4.0-win32-ia32-douyinwallpaper-wid-8TYlY5BjUjh.exe
checkBoxCustomInstall status:0
douyin-downloader-v5.4.0-win32-ia32-douyinwallpaper-wid-8TYlY5BjUjh.exe
checkBoxAutoStart status:1
douyin-downloader-v5.4.0-win32-ia32-douyinwallpaper-wid-8TYlY5BjUjh.exe
checkBoxDesktopShortcut status:1
douyin-downloader-v5.4.0-win32-ia32-douyinwallpaper-wid-8TYlY5BjUjh.exe
checkBoxDesktopShortcut status:1
douyin-downloader-v5.4.0-win32-ia32-douyinwallpaper-wid-8TYlY5BjUjh.exe
checkBoxAutoStart status:1
elevation_service.exe
[0216/201909.402:INFO:mcs_reporter_wrapper.cc(32)] guid = 265b2209197a75c5561f5cf0fce576bd
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
douyin-downloader-v5.4.0-win32-ia32-douyinwallpaper-wid-8TYlY5BjUjh.exe