087ea191ce8ea2c526a833ac49f31f0b225aba58c77ccffc19db6c80335937a5

Analysis

max time kernel
1799s
max time network
1795s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
21-04-2024 19:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe
Size

3.0MB
MD5

0595a61ec3b4ebe97ff87dbb1ba62ea7
SHA1

121b6c8035eb62dd6f57b89437f2f9c28ec01312
SHA256

087ea191ce8ea2c526a833ac49f31f0b225aba58c77ccffc19db6c80335937a5
SHA512

f62ba5333fae84b6318e985c916b623487c327abab40efde8f0ea1ce3904132b1eb4ee6f73055ceeed2c79d1e58cd212e4db380cac77b8968da3fc0dffd0a47c
SSDEEP

49152:w7OojxkK9tQ11lWpzV3GoMdKgj1Kva7XOv9DFLOz+4fSkVaDCXKxbKpRPfrhBSRN:w7XjSKe1ezhGvj1KvOX0gBTVams0N7SH

Score

8^/10

discovery evasion persistence

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 4 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1644	netsh.exe
880	netsh.exe
4872	netsh.exe
4432	netsh.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	douyin_widget.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	douyin.exe

Executes dropped EXE 11 IoCs

pid	Process
3896	douyin.exe
4516	elevation_service.exe
792	douyin_tray.exe
3916	douyin_widget.exe
3036	douyin.exe
4588	douyin.exe
1924	douyin_tray.exe
540	douyin.exe
556	douyin.exe
2408	systeminfo.exe
544	douyin.exe

Loads dropped DLL 64 IoCs

pid	Process
4008	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe
4008	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe
4008	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe
4008	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe
4008	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe
4008	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe
4008	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe
4008	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe
4008	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe
4008	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe
4008	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe
3896	douyin.exe
3896	douyin.exe
3896	douyin.exe
3896	douyin.exe
3896	douyin.exe
4008	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe
4008	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe
4008	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe
4008	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe
4008	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe
4008	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe
4008	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe
792	douyin_tray.exe
792	douyin_tray.exe
792	douyin_tray.exe
792	douyin_tray.exe
3916	douyin_widget.exe
3916	douyin_widget.exe
3916	douyin_widget.exe
3916	douyin_widget.exe
3916	douyin_widget.exe
3036	douyin.exe
3036	douyin.exe
3036	douyin.exe
3036	douyin.exe
3036	douyin.exe
3036	douyin.exe
4588	douyin.exe
4588	douyin.exe
4588	douyin.exe
4588	douyin.exe
4588	douyin.exe
3036	douyin.exe
3036	douyin.exe
3036	douyin.exe
1924	douyin_tray.exe
1924	douyin_tray.exe
1924	douyin_tray.exe
1924	douyin_tray.exe
540	douyin.exe
540	douyin.exe
540	douyin.exe
540	douyin.exe
540	douyin.exe
556	douyin.exe
556	douyin.exe
556	douyin.exe
556	douyin.exe
556	douyin.exe
540	douyin.exe
540	douyin.exe
540	douyin.exe
544	douyin.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\douyinTray = "C:\\Program Files\\ByteDance\\douyin\\douyin_launcher.exe --start_type=autorun"	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks system information in the registry 2 TTPs 6 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	douyin_tray.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	douyin_tray.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	douyin.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	douyin.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	systeminfo.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\ByteDance\douyin\3.4.0\locales\es.pak	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe
File created	C:\Program Files\ByteDance\douyin\3.4.0\tray\resources\lynx\resource\svg\quit.cb09274b.svg	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe
File created	C:\Program Files\ByteDance\douyin\3.4.0\tray\perf_monitor.dll	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe
File opened for modification	C:\Program Files\ByteDance\douyin\3.4.0\locales\fil.pak	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe
File opened for modification	C:\Program Files\ByteDance\douyin\3.4.0\locales\hi.pak	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe
File created	C:\Program Files\ByteDance\douyin\3.4.0\locales\ja.pak	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe
File created	C:\Program Files\ByteDance\douyin\3.4.0\tray\vk_swiftshader_icd.json	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe
File opened for modification	C:\Program Files\ByteDance\douyin\3.4.0\tray\resources\lynx\resource\lottie\xiaorenDragStart\images\img_9.png	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe
File created	C:\Program Files\ByteDance\douyin\3.4.0\tray\resources\lynx\resource\lottie\xiaorenGuideClose\images\img_4.png	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe
File opened for modification	C:\Program Files\ByteDance\douyin\3.4.0\tray\resources\lynx\resource\lottie\xiaorenMenuHideBody\images\img_0.png	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe
File created	C:\Program Files\ByteDance\douyin\3.4.0\tray\libEGL.dll	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe
File opened for modification	C:\Program Files\ByteDance\douyin\3.4.0\locales\pt-PT.pak	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe
File created	C:\Program Files\ByteDance\douyin\3.4.0\startup_animation\animation.webp	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe
File opened for modification	C:\Program Files\ByteDance\douyin\3.4.0\tray\resources\redpoint\16\desktop_icon.png	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe
File opened for modification	C:\Program Files\ByteDance\douyin\3.4.0\tray\resources\ic_wallpaper_blod.png	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe
File created	C:\Program Files\ByteDance\douyin\3.4.0\tray\resources\lynx\resource\lottie\xiaorenGuideClose\images\img_1.png	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe
File opened for modification	C:\Program Files\ByteDance\douyin\3.4.0\tray\resources\push_default_light.png	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe
File created	C:\Program Files\ByteDance\douyin\3.4.0\tray\resources\tips_exit_blod_dark.png	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe
File opened for modification	C:\Program Files\ByteDance\douyin\3.4.0\tray\resources\app.asar.unpacked\node_modules\@bytegecko\node-client	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe
File opened for modification	C:\Program Files\ByteDance\douyin\3.4.0\tray\resources\app.asar.unpacked\node_modules\@bytegecko\node-client\out\macos_arm64\gecko.node	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe
File opened for modification	C:\Program Files\ByteDance\douyin\3.4.0\tray\resources\app.asar.unpacked\node_modules\@bytegecko\node-client\out\macos_x86_64\libcurl.4.dylib	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe
File created	C:\Program Files\ByteDance\douyin\3.4.0\tray\resources\lynx\resource\lottie\xiaorenBye\images\img_10.png	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe
File created	C:\Program Files\ByteDance\douyin\3.4.0\tray\resources\lynx\resource\lottie\xiaorenGuideShow\images\img_4.png	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe
File opened for modification	C:\Program Files\ByteDance\douyin\3.4.0\locales\ml.pak	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe
File opened for modification	C:\Program Files\ByteDance\douyin\3.4.0\resources.pak	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe
File opened for modification	C:\Program Files\ByteDance\douyin\3.4.0\tray\data	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe
File created	C:\Program Files\ByteDance\douyin\3.4.0\tray\resources\lynx\resource\svg\remove.e9832a0b.svg	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe
File created	C:\Program Files\ByteDance\douyin\3.4.0\md5.json	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe
File opened for modification	C:\Program Files\ByteDance\douyin\3.4.0\tray\resources\app.asar.unpacked\node_modules\@bytegecko\node-client\gecko.js	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe
File created	C:\Program Files\ByteDance\douyin\3.4.0\tray\snapshot_blob.bin	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe
File created	C:\Program Files\ByteDance\douyin\3.4.0\lynx_core.js	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe
File created	C:\Program Files\ByteDance\douyin\3.4.0\tray\resources\app.asar.unpacked\node_modules\@bytegecko\node-client\out\macos_x86_64\libcurl.4.dylib	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe
File opened for modification	C:\Program Files\ByteDance\douyin\3.4.0\tray\resources\lynx\resource\lottie\xiaorenDragEnd\images\img_0.png	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe
File opened for modification	C:\Program Files\ByteDance\douyin\3.4.0\tray\resources\lynx\resource\lottie\xiaorenMenuShowBody\data.json	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe
File created	C:\Program Files\ByteDance\douyin\3.4.0\tray\resources\lynx\resource\lottie\xiaorenMenuShowHand\images\img_1.png	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe
File opened for modification	C:\Program Files\ByteDance\douyin\3.4.0\tray\resources\tips_exit_blod_dark.png	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe
File created	C:\Program Files\ByteDance\douyin\3.4.0\tt_crash_reporter.exe	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe
File created	C:\Program Files\ByteDance\douyin\3.4.0\resources\app.asar.unpacked\node_modules\@byted\tray-node\get_node.js	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe
File created	C:\Program Files\ByteDance\douyin\3.4.0\tray\resources\lynx\resource\svg\arrow.fb3b94e2.svg	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe
File opened for modification	C:\Program Files\ByteDance\douyin\3.4.0\tray\parfait.dll	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe
File created	C:\Program Files\ByteDance\douyin\3.4.0\resources\app.asar.unpacked\node_modules\@bytegecko\node-client\gecko.js	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe
File opened for modification	C:\Program Files\ByteDance\douyin\3.4.0\tray\resources\lynx\resource\lottie\xiaorenDragEnd\images\img_5.png	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe
File opened for modification	C:\Program Files\ByteDance\douyin\3.4.0\resources\edt\logo.png	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe
File created	C:\Program Files\ByteDance\douyin\3.4.0\tray\resources\lynx\resource\lottie\xiaorenDragMove\images\img_7.png	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe
File opened for modification	C:\Program Files\ByteDance\douyin\3.4.0\tray\resources\lynx\resource\lottie\xiaorenDragStart\images\img_5.png	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe
File created	C:\Program Files\ByteDance\douyin\3.4.0\renderkit_windows.dll	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe
File created	C:\Program Files\ByteDance\douyin\3.4.0\locales\de.pak	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe
File opened for modification	C:\Program Files\ByteDance\douyin\3.4.0\tray\LICENSES.chromium.html	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe
File opened for modification	C:\Program Files\ByteDance\douyin\3.4.0\tray\resources\app.asar.unpacked\node_modules\@bytegecko\node-client\out\windows_x86\gecko.node	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe
File opened for modification	C:\Program Files\ByteDance\douyin\3.4.0\tray\resources\lynx\resource\svg\search.9c50ec02.svg	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe
File opened for modification	C:\Program Files\ByteDance\douyin\3.4.0\resources\app.asar.unpacked\node_modules\@byted\electron-update-driver\exe\bin\ia32\UpdateDriverSdk.dll	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe
File opened for modification	C:\Program Files\ByteDance\douyin\3.4.0\tray\douyin_tray.exe	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe
File opened for modification	C:\Program Files\ByteDance\douyin\3.4.0\tray\libGLESv2.dll	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe
File created	C:\Program Files\ByteDance\douyin\3.4.0\tray\lynx_shared.dll	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe
File opened for modification	C:\Program Files\ByteDance\douyin\3.4.0\resources\app.asar.unpacked\node_modules\@byted\electron-systeminfo\cli\bin	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe
File opened for modification	C:\Program Files\ByteDance\douyin\3.4.0\tray\resources\lynx\resource\lottie\xiaorenMenuShowHand\images	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe
File created	C:\Program Files\ByteDance\douyin\3.4.0\locales\ml.pak	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe
File created	C:\Program Files\ByteDance\douyin\3.4.0\locales\sk.pak	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe
File opened for modification	C:\Program Files\ByteDance\douyin\3.4.0\tray\resources\lynx\resource\lottie\xiaorenBye\images\img_8.png	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe
File created	C:\Program Files\ByteDance\douyin\3.4.0\tray\resources\lynx\resource\lottie\xiaorenGuideClose\data.json	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe
File opened for modification	C:\Program Files\ByteDance\douyin\3.4.0\tray\resources\lynx\resource\svg\home.90fca5f3.svg	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe
File created	C:\Program Files\ByteDance\douyin\3.4.0\locales\nb.pak	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe
File created	C:\Program Files\ByteDance\douyin\3.4.0\locales\zh-CN.pak	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe
File opened for modification	C:\Program Files\ByteDance\douyin\3.4.0\tray\icudtl.dat	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 18 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	douyin.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	douyin_tray.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	douyin_widget.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	douyin.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	douyin.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	douyin_widget.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	douyin_widget.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	douyin.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	douyin.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	systeminfo.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	systeminfo.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	douyin_tray.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	douyin_widget.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	douyin_widget.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	douyin.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	douyin.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	douyin_widget.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	douyin_widget.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2408	systeminfo.exe

Modifies registry class 21 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\AppID	elevation_service.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AppID\{021126DF-2B48-41A7-8615-1ECB923010A8}	elevation_service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{022AB1B0-7ED5-42AC-84AF-6D927F504381}\TypeLib\ = "{022AB1B0-7ED5-42AC-84AF-6D927F504381}"	elevation_service.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{022AB1B0-7ED5-42AC-84AF-6D927F504381}\1.0\0	elevation_service.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{022AB1B0-7ED5-42AC-84AF-6D927F504381}\1.0\0\win32	elevation_service.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID	elevation_service.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{021126DF-2B48-41A7-8615-1ECB923010A8}	elevation_service.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{022AB1B0-7ED5-42AC-84AF-6D927F504381}\TypeLib	elevation_service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{022AB1B0-7ED5-42AC-84AF-6D927F504381}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	elevation_service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{022AB1B0-7ED5-42AC-84AF-6D927F504381}\TypeLib\Version = "1.0"	elevation_service.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib	elevation_service.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{022AB1B0-7ED5-42AC-84AF-6D927F504381}	elevation_service.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{022AB1B0-7ED5-42AC-84AF-6D927F504381}\1.0	elevation_service.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{022AB1B0-7ED5-42AC-84AF-6D927F504381}\1.0\0\win64	elevation_service.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{022AB1B0-7ED5-42AC-84AF-6D927F504381}	elevation_service.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{022AB1B0-7ED5-42AC-84AF-6D927F504381}\ProxyStubClsid32	elevation_service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{022AB1B0-7ED5-42AC-84AF-6D927F504381}\1.0\0\win64\ = "C:\\Program Files\\ByteDance\\douyin\\3.4.0\\elevation_service.exe"	elevation_service.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface	elevation_service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{022AB1B0-7ED5-42AC-84AF-6D927F504381}\1.0\0\win32\ = "C:\\Program Files\\ByteDance\\douyin\\3.4.0\\elevation_service.exe"	elevation_service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{021126DF-2B48-41A7-8615-1ECB923010A8}\AppID = "{021126DF-2B48-41A7-8615-1ECB923010A8}"	elevation_service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{021126DF-2B48-41A7-8615-1ECB923010A8}\LocalService = "DouyinElevationService"	elevation_service.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	douyin.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	douyin.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	douyin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4008	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe
4008	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe
4008	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe
4008	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe
4008	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe
4008	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe
4008	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe
4008	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe
4008	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe
4008	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe
4008	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe
4008	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe
4008	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe
4008	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe
4008	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe
4008	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe
792	douyin_tray.exe
792	douyin_tray.exe
3916	douyin_widget.exe
3916	douyin_widget.exe
3916	douyin_widget.exe
3916	douyin_widget.exe
3036	douyin.exe
3036	douyin.exe
3036	douyin.exe
3036	douyin.exe
3036	douyin.exe
3036	douyin.exe
3036	douyin.exe
3036	douyin.exe
3036	douyin.exe
3036	douyin.exe
3036	douyin.exe
3036	douyin.exe
3036	douyin.exe
3036	douyin.exe
3036	douyin.exe
3036	douyin.exe
3036	douyin.exe
3036	douyin.exe
3036	douyin.exe
3036	douyin.exe
3036	douyin.exe
3036	douyin.exe
3036	douyin.exe
3036	douyin.exe
3036	douyin.exe
3036	douyin.exe
3036	douyin.exe
3036	douyin.exe
3036	douyin.exe
3036	douyin.exe
3036	douyin.exe
3036	douyin.exe
3036	douyin.exe
3036	douyin.exe
3036	douyin.exe
3036	douyin.exe
3036	douyin.exe
3036	douyin.exe
3036	douyin.exe
3036	douyin.exe
3036	douyin.exe
3036	douyin.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	4008	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe
Token: SeShutdownPrivilege	3036	douyin.exe
Token: SeCreatePagefilePrivilege	3036	douyin.exe
Token: SeShutdownPrivilege	3036	douyin.exe
Token: SeCreatePagefilePrivilege	3036	douyin.exe
Token: SeShutdownPrivilege	3036	douyin.exe
Token: SeCreatePagefilePrivilege	3036	douyin.exe
Token: SeShutdownPrivilege	3036	douyin.exe
Token: SeCreatePagefilePrivilege	3036	douyin.exe
Token: SeShutdownPrivilege	3036	douyin.exe
Token: SeCreatePagefilePrivilege	3036	douyin.exe
Token: SeShutdownPrivilege	3036	douyin.exe
Token: SeCreatePagefilePrivilege	3036	douyin.exe
Token: SeShutdownPrivilege	3036	douyin.exe
Token: SeCreatePagefilePrivilege	3036	douyin.exe
Token: SeShutdownPrivilege	3036	douyin.exe
Token: SeCreatePagefilePrivilege	3036	douyin.exe
Token: SeShutdownPrivilege	3036	douyin.exe
Token: SeCreatePagefilePrivilege	3036	douyin.exe
Token: SeShutdownPrivilege	3036	douyin.exe
Token: SeCreatePagefilePrivilege	3036	douyin.exe
Token: 33	2408	systeminfo.exe
Token: SeIncBasePriorityPrivilege	2408	systeminfo.exe
Token: SeShutdownPrivilege	3036	douyin.exe
Token: SeCreatePagefilePrivilege	3036	douyin.exe
Token: SeShutdownPrivilege	3036	douyin.exe
Token: SeCreatePagefilePrivilege	3036	douyin.exe
Token: SeShutdownPrivilege	3036	douyin.exe
Token: SeCreatePagefilePrivilege	3036	douyin.exe
Token: SeShutdownPrivilege	3036	douyin.exe
Token: SeCreatePagefilePrivilege	3036	douyin.exe
Token: SeShutdownPrivilege	3036	douyin.exe
Token: SeCreatePagefilePrivilege	3036	douyin.exe
Token: SeShutdownPrivilege	3036	douyin.exe
Token: SeCreatePagefilePrivilege	3036	douyin.exe
Token: SeShutdownPrivilege	3036	douyin.exe
Token: SeCreatePagefilePrivilege	3036	douyin.exe
Token: SeShutdownPrivilege	3036	douyin.exe
Token: SeCreatePagefilePrivilege	3036	douyin.exe
Token: SeShutdownPrivilege	3036	douyin.exe
Token: SeCreatePagefilePrivilege	3036	douyin.exe
Token: SeShutdownPrivilege	3036	douyin.exe
Token: SeCreatePagefilePrivilege	3036	douyin.exe
Token: SeShutdownPrivilege	3036	douyin.exe
Token: SeCreatePagefilePrivilege	3036	douyin.exe
Token: SeShutdownPrivilege	3036	douyin.exe
Token: SeCreatePagefilePrivilege	3036	douyin.exe
Token: SeShutdownPrivilege	3036	douyin.exe
Token: SeCreatePagefilePrivilege	3036	douyin.exe
Token: SeShutdownPrivilege	3036	douyin.exe
Token: SeCreatePagefilePrivilege	3036	douyin.exe
Token: SeShutdownPrivilege	3036	douyin.exe
Token: SeCreatePagefilePrivilege	3036	douyin.exe
Token: SeShutdownPrivilege	3036	douyin.exe
Token: SeCreatePagefilePrivilege	3036	douyin.exe
Token: SeShutdownPrivilege	3036	douyin.exe
Token: SeCreatePagefilePrivilege	3036	douyin.exe
Token: SeShutdownPrivilege	3036	douyin.exe
Token: SeCreatePagefilePrivilege	3036	douyin.exe
Token: SeShutdownPrivilege	3036	douyin.exe
Token: SeCreatePagefilePrivilege	3036	douyin.exe
Token: SeShutdownPrivilege	3036	douyin.exe
Token: SeCreatePagefilePrivilege	3036	douyin.exe
Token: SeShutdownPrivilege	3036	douyin.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4008	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe
4008	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe
792	douyin_tray.exe
3916	douyin_widget.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
792	douyin_tray.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 4008 wrote to memory of 3896	4008	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe	118
PID 4008 wrote to memory of 3896	4008	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe	118
PID 4008 wrote to memory of 3896	4008	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe	118
PID 4008 wrote to memory of 4516	4008	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe	119
PID 4008 wrote to memory of 4516	4008	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe	119
PID 4008 wrote to memory of 4516	4008	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe	119
PID 4008 wrote to memory of 880	4008	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe	121
PID 4008 wrote to memory of 880	4008	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe	121
PID 4008 wrote to memory of 880	4008	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe	121
PID 4008 wrote to memory of 4872	4008	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe	123
PID 4008 wrote to memory of 4872	4008	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe	123
PID 4008 wrote to memory of 4872	4008	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe	123
PID 4008 wrote to memory of 4432	4008	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe	125
PID 4008 wrote to memory of 4432	4008	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe	125
PID 4008 wrote to memory of 4432	4008	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe	125
PID 4008 wrote to memory of 1644	4008	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe	127
PID 4008 wrote to memory of 1644	4008	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe	127
PID 4008 wrote to memory of 1644	4008	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe	127
PID 4008 wrote to memory of 792	4008	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe	129
PID 4008 wrote to memory of 792	4008	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe	129
PID 4008 wrote to memory of 792	4008	douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe	129
PID 792 wrote to memory of 3916	792	douyin_tray.exe	130
PID 792 wrote to memory of 3916	792	douyin_tray.exe	130
PID 792 wrote to memory of 3916	792	douyin_tray.exe	130
PID 792 wrote to memory of 3036	792	douyin_tray.exe	131
PID 792 wrote to memory of 3036	792	douyin_tray.exe	131
PID 792 wrote to memory of 3036	792	douyin_tray.exe	131
PID 3036 wrote to memory of 4588	3036	douyin.exe	132
PID 3036 wrote to memory of 4588	3036	douyin.exe	132
PID 3036 wrote to memory of 4588	3036	douyin.exe	132
PID 3036 wrote to memory of 1924	3036	douyin.exe	133
PID 3036 wrote to memory of 1924	3036	douyin.exe	133
PID 3036 wrote to memory of 1924	3036	douyin.exe	133
PID 3036 wrote to memory of 540	3036	douyin.exe	134
PID 3036 wrote to memory of 540	3036	douyin.exe	134
PID 3036 wrote to memory of 540	3036	douyin.exe	134
PID 3036 wrote to memory of 556	3036	douyin.exe	135
PID 3036 wrote to memory of 556	3036	douyin.exe	135
PID 3036 wrote to memory of 556	3036	douyin.exe	135
PID 3036 wrote to memory of 2408	3036	douyin.exe	136
PID 3036 wrote to memory of 2408	3036	douyin.exe	136
PID 3036 wrote to memory of 544	3036	douyin.exe	138
PID 3036 wrote to memory of 544	3036	douyin.exe	138
PID 3036 wrote to memory of 544	3036	douyin.exe	138

C:\Users\Admin\AppData\Local\Temp\douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe
"C:\Users\Admin\AppData\Local\Temp\douyin-downloader-v3.6.4-win32-ia32-douyinDownload1-wid-8LIJjDWYR4V.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Adds Run key to start application
- Checks system information in the registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4008
- C:\Program Files\ByteDance\douyin\3.4.0\douyin.exe
  "C:\Program Files\ByteDance\douyin\3.4.0\douyin.exe" -type=warm-up --start_type=installer --session_id=b39751eec509452e9c5033611dd437cd
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3896
- C:\Program Files\ByteDance\douyin\3.4.0\elevation_service.exe
  "C:\Program Files\ByteDance\douyin\3.4.0\elevation_service.exe" --install
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  PID:4516
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="douyin" dir=in action=allow protocol=TCP program="C:\Program Files\ByteDance\douyin\3.4.0\douyin.exe"
  2⤵
  - Modifies Windows Firewall
  PID:880
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="douyin" dir=in action=allow protocol=UDP program="C:\Program Files\ByteDance\douyin\3.4.0\douyin.exe"
  2⤵
  - Modifies Windows Firewall
  PID:4872
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="douyin_launcher" dir=in action=allow protocol=TCP program="C:\Program Files\ByteDance\douyin\douyin_launcher.exe"
  2⤵
  - Modifies Windows Firewall
  PID:4432
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="douyin_launcher" dir=in action=allow protocol=UDP program="C:\Program Files\ByteDance\douyin\douyin_launcher.exe"
  2⤵
  - Modifies Windows Firewall
  PID:1644
- C:\Program Files\ByteDance\douyin\3.4.0\tray\douyin_tray.exe
  "C:\Program Files\ByteDance\douyin\3.4.0\tray\douyin_tray.exe" --install
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks system information in the registry
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:792
- - C:\Program Files\ByteDance\douyin\3.4.0\tray\douyin_widget.exe
    "C:\Program Files\ByteDance\douyin\3.4.0\tray\douyin_widget.exe" --open_from=tray
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    PID:3916
- - C:\Program Files\ByteDance\douyin\3.4.0\douyin.exe
    "C:\Program Files\ByteDance\douyin\3.4.0\douyin.exe" --start-page=EnergyEfficient --start_type=tray --session_id=8a74d4cd0dcc4da69088217b9fa170ab
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks system information in the registry
    - Checks processor information in registry
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3036
  - - C:\Program Files\ByteDance\douyin\3.4.0\douyin.exe
      "C:\Program Files\ByteDance\douyin\3.4.0\douyin.exe" --splash
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4588
  - - C:\Program Files\ByteDance\douyin\3.4.0\tray\douyin_tray.exe
      "C:\Program Files\ByteDance\douyin\3.4.0\tray\douyin_tray.exe" --start_type=electron
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1924
  - - C:\Program Files\ByteDance\douyin\3.4.0\douyin.exe
      "C:\Program Files\ByteDance\douyin\3.4.0\douyin.exe" --type=gpu-process --disable-gpu-sandbox --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Roaming\douyin" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2692 --field-trial-handle=2972,i,5087597116783466928,9528395112056720051,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:540
  - - C:\Program Files\ByteDance\douyin\3.4.0\douyin.exe
      "C:\Program Files\ByteDance\douyin\3.4.0\douyin.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Roaming\douyin" --mojo-platform-channel-handle=3060 --field-trial-handle=2972,i,5087597116783466928,9528395112056720051,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:556
  - - C:\Program Files\ByteDance\douyin\3.4.0\resources\app.asar.unpacked\node_modules\@byted\electron-systeminfo\exe\bin\x64\systeminfo.exe
      "C:\Program Files\ByteDance\douyin\3.4.0\resources\app.asar.unpacked\node_modules\@byted\electron-systeminfo\exe\bin\x64\systeminfo.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Checks processor information in registry
      Gathers system information
      Suspicious use of AdjustPrivilegeToken
      PID:2408
  - - C:\Program Files\ByteDance\douyin\3.4.0\douyin.exe
      "C:\Program Files\ByteDance\douyin\3.4.0\douyin.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --disable-gpu-sandbox --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Roaming\douyin" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1096 --field-trial-handle=2972,i,5087597116783466928,9528395112056720051,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\ByteDance\douyin\3.4.0\D3DCOMPILER_47.dll

Filesize
3.9MB

MD5
9fbf0454eee84136a92071ef76c32151

SHA1
4b8787fbf6bd945f7262ee6765030f3be03ad53a

SHA256
629af76f99412c2f0fc8b9fa22d03491bb6a34dd779e17a0955eeb3114b8cfa1

SHA512
d925ad3e277db8f96f20388a487df2b74a1f25b9e10dbafcbe420b487b0b24138275dfb63ba98b24422234fb97164fe3491ec64506eec4e07b911f2a50db599a

Download Submit
C:\Program Files\ByteDance\douyin\3.4.0\LICENSE.electron.txt

Filesize
1KB

MD5
4d42118d35941e0f664dddbd83f633c5

SHA1
2b21ec5f20fe961d15f2b58efb1368e66d202e5c

SHA256
5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d

SHA512
3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63

Download Submit
C:\Program Files\ByteDance\douyin\3.4.0\LICENSES.chromium.html

Filesize
6.3MB

MD5
8fc2208aa7658c6fd45b2c3bccf27340

SHA1
41943c66660e06137cdb0c85bbe7e73da3935078

SHA256
82ae05f34c59295683f11c68649b98e2386c766cd7086f743bedf730c1bdc113

SHA512
508430dd7b89a7a86f3f117d842a87cafae36bcbb4e0f097969d5dc7da89290302b2bddd9cffc15e60ed1459add6bb9cc6b09b924ee9507b556046aa335bf612

Download Submit
C:\Program Files\ByteDance\douyin\3.4.0\bmf_hydra.dll

Filesize
308KB

MD5
e90044f291e2f20b4094093da993b7ff

SHA1
db6dd516d2244e7c8e37a6d59aed6bb21b71e0f5

SHA256
2213846a27a59a37b0aa3e27bbf4ed6beaad2131a9a913db2134a762697a5dc7

SHA512
eb14723cf113f68948f52ba1fe6258b99f0b2f0d6d8d048ca688103362f5fc3e38b0c05a4ab086a40ea2c05e322744ec9dd972d6cdbcc83838940564e6ba518b

Download Submit
C:\Program Files\ByteDance\douyin\3.4.0\data\icudtl.dat

Filesize
220KB

MD5
638450ffec2b568e46d4a7d9de23d130

SHA1
a5f3fc33b14553199c0cb2c0d0113cf0c1926986

SHA256
33488789a3710402492794c81680522e46596e6fdc31de70b9f51de687be86cc

SHA512
9279e8fbc529f3971e04af88be0e4bc9861a8444f4c32ec7a7c154362b26849da850dcaf8adf813d334b99956d4519a1e716c7e569d23957ab3da51288758154

Download Submit
C:\Program Files\ByteDance\douyin\3.4.0\douyin.exe

Filesize
128.1MB

MD5
c9b8fcc1840827cd17fb5aecf1e6c234

SHA1
5987e23d01f3be3238268c34664d1d69814b7030

SHA256
ad6411fe4061e499fd38e81fea33ac57aaafc319bc17afc6b5043235bad7f316

SHA512
556a3dba78d90f630bf9d911bad0a42ed622d19ada1ad4945900053ba61cfdc6dc2e7142ee47f1ce7386371bac1a8c5c4f3918a75fd33f51970b6349f2fb96d6

Download Submit
C:\Program Files\ByteDance\douyin\3.4.0\elevation_service.exe

Filesize
2.9MB

MD5
df602dcc04b0e9323789cef9292a2217

SHA1
d80a419e2913ce191570f2473e24f4d1b345c7c3

SHA256
da7bac5a91f67cf08a2cb8b51fc79cd1b819ab073f58f7e47ec485db3fe2511d

SHA512
17443f9dfbf934ae22603c9cb17b6a29fb68af87b0236f43367c1ba61cc46a4a292922b5b4d61d9aef7f9f598774a0623f9c5ede769c4b879e3b1222a4eeb2e2

Download Submit
C:\Program Files\ByteDance\douyin\3.4.0\ffmpeg.dll

Filesize
3.4MB

MD5
123aed1efc7c5c98fa0227a5cbc56b3d

SHA1
7483427537aaca4780fea3fe4101643b32f8d767

SHA256
939557f2e3240ebb1729ed4a4612258f111c494c5228599cfec984b2edf7608b

SHA512
9183eebb3b2b01f64edb532ae9105da9452d12809f08443fa173cc0c70b57566df445e78b8b037aab7eb5e074894a61fef64e300c8d47e49e2d29d5af3c7b976

Download Submit
C:\Program Files\ByteDance\douyin\3.4.0\icudtl.dat

Filesize
10.0MB

MD5
6690f2b2384e1bf8961fda96a4d07691

SHA1
111f6dd9833c653908431621fe8fbc87f1135632

SHA256
cb73d42d36839708013393ad0e4e932fdda9a1acda9275ecdbe74fe89eea8366

SHA512
6a5242fdc0ba09e339151feae1b3f7a9f00a09288b6f4ea9305d1a09d8bc3015c074ee91de35b8d6fc765c2fb55ec37dd91b8e66b7a7bb3148cbc305de19b088

Download Submit
C:\Program Files\ByteDance\douyin\3.4.0\lynx_core.js

Filesize
376KB

MD5
58706a205d30ebad8902df432f05928e

SHA1
cf830fa5520aacd3b98f28af7d9cce2adad63168

SHA256
c2e19ff232f54ea57f2947cfd1ece7a5cbb9e397ece6702c0592771112999d42

SHA512
90ee192a48a14f1f5fbd9472abeffb89a72d85e15ba86aa991c94c070eadabe633e052136ec09a98af0f47e02c33d6302d6c35f4564d7d028c0f81db031a9223

Download Submit
C:\Program Files\ByteDance\douyin\3.4.0\parfait.dll

Filesize
968KB

MD5
be5961d6bca1fe53f7a7cce1a1b05ce7

SHA1
e7d78cbbf843bbeb02eb80004feaedfdb7e0d925

SHA256
d6a4f6c4ca415ac82c40f01b66be993479a99ea675e7c2a00f89babe56f7bc19

SHA512
571d29a23cfb13fec35f82dcdf0947d04bf021bd56d2dd8f98f43fbc47a12d89d96ebe2f3c17938e519e61776af7201af91f0be40478fe909b68b973423b55ab

Download Submit
C:\Program Files\ByteDance\douyin\3.4.0\resources\app.asar.unpacked\node_modules\@bytegecko\node-client\gecko.js

Filesize
5KB

MD5
29840254e99e534b07586f74ea9868e3

SHA1
621399db7ba920a2309e6523d55e71f39ef55125

SHA256
922b72f8fe3b2f3bb9a3a5f6f1ee1457b7b1d42a5951823ca2a9204312897ac2

SHA512
d511a3017cbb0c8aecc32ebf535a300f1915e6d6db5efa6639f9af5cb23474dd2d49b0ee3b147b8773b6f562f4e62e0d6678843f37a00a68510fee129b86a664

Download Submit
C:\Program Files\ByteDance\douyin\3.4.0\resources\app.asar.unpacked\node_modules\@bytegecko\node-client\out\macos_x86_64\libcurl.4.dylib

Filesize
3.1MB

MD5
3f2c26ffc5abf318d98711e4127ab547

SHA1
22862b866ff800ef099671e08f7c9eb642399123

SHA256
2faa7e2bfc9352749e8f9c5ce9e35f70d3d459f82f05c921e45f259df03a35e5

SHA512
ac6a85c6c55e6e79fb3e530680e369b8c03f8932ac7d3335dbd6a68edb7848aca58bf7f11be5abf9b7c45a80fbcefedf6e2e4e8334fd63e198d1500397968f3d

Download Submit
C:\Program Files\ByteDance\douyin\3.4.0\snapshot_blob.bin

Filesize
283KB

MD5
725da9afa1c09639cf833219cd2abe3b

SHA1
a0f4ef17c4564ff0e218259629ec959232914e87

SHA256
a0572794df1277ee4cf6566b480fba3a244797ed4defb350391db5f298f32a31

SHA512
062e78b6f32194bb391a8e8a160b80f8cd76a751e1879c8f248ee08dbc811e69184eae21dc167283b3771b32204c383edd77b7bc0f072cc5cd6d56c7c676a559

Download Submit
C:\Program Files\ByteDance\douyin\3.4.0\sscronet.dll

Filesize
4.4MB

MD5
7c685846f584c98ae9c3b836b05696d6

SHA1
29384ad7cd9a4d55091929c207c9a83eb4fbc675

SHA256
f89495c860ce4a94f7f08058a7f767f34eb575fcb7bac29b9e29f3e376eba884

SHA512
e6d080b8047ea74214eabcd9b6650cbca2665a1e473b78f98fa88720e12d1fb64c77f3ce68d269d140dbedf8601ea78a09af91073e263e39f2adaa07d518dc3c

Download Submit
C:\Program Files\ByteDance\douyin\3.4.0\tray\douyin_tray.exe

Filesize
6.6MB

MD5
2da2d77a0d9c816019c02cd2bfe8488f

SHA1
2c06045bbe31fc2c65f5fe70135e8c0c13ab6ca6

SHA256
4b61e57b485bbc7fcc037737e97c900a51a842172496dca74cf3d24bfceb6c07

SHA512
17bab74ff4d382e5e902f2110c229cb6730bc618ed307ead9cdee9fdf52ba8ff5000564c5eb2270bbd808728220bb791e9e52f8a9e0e722418974d1981b650b8

Download Submit
C:\Program Files\ByteDance\douyin\3.4.0\tray\douyin_widget.exe

Filesize
1.2MB

MD5
6e55fd47c0f33a16d0a236ec6e86b2ec

SHA1
1cfa2cddf3a34b7ce2bc089328a22f93154a065f

SHA256
02254273ee154d52130653a86219dbb346be7d929d4022d87196095011a714be

SHA512
48ca1e2fb3dd5477ee0c6565c76d73910b690b6591aca15144d28c28bbe230b0daaa094e9932e9e9ee0f242b4565c4093122b871772dffa9f1f9fb9d969685cd

Download Submit
C:\Program Files\ByteDance\douyin\3.4.0\tray\electron_lib.dll

Filesize
28.9MB

MD5
0c46dec6f8082b2c48d1870fa4a5c855

SHA1
46e46567b11973d33cce2a5bcd3ee5e6a688dde5

SHA256
5d0a6bc86e5969ebfc232493509939b28dd1b1c363e3bc5349f77e41f1da866b

SHA512
26835e7a957e15ba94077feb51cdefb5887d4ca908de6dcf4c7395f765c08fcdda9a386ac977a460a172adfce5e47698990c0932786ecfd2c735423a0944a43a

Download Submit
C:\Program Files\ByteDance\douyin\3.4.0\tray\lynx_shared.dll

Filesize
3.9MB

MD5
e098b6c3a789d172d79892dac16ab152

SHA1
9eec26ae9c8995e5b57b8d25ab7005004ec6df89

SHA256
bc87a900c4582dc1757dfdc8c62ae2fab8c54ed34e71278b35a668acc4e91a36

SHA512
cece6bef1ae8cb283423749195e449cafeb4f1384a87753e2e350da8e4430d8afabbed233e743a8e3eda579aa1cef186df3a8828d8d83342af9b5a3c77929a82

Download Submit
C:\Program Files\ByteDance\douyin\3.4.0\tray\parfait.dll

Filesize
965KB

MD5
a2f2a615c4e41a2136d947b06f7b58f0

SHA1
30b4f95012425ed80eb92eff65b39bf9c63e38fc

SHA256
31e2bc0a557b0dff3b55665cb42c40ff220f111c031f499095afb69613976c15

SHA512
2c1d7fb0ee7b3601c8e48892debef22e0e69f1ee8dfa5e67e5e994fb5c55f8ba5a587919fba69e6946d742407b92fce40b3dd5719d63061629a5497dd3b19184

Download Submit
C:\Program Files\ByteDance\douyin\3.4.0\tray\renderkit_windows.dll

Filesize
11.5MB

MD5
d284134c0994d22f7576072228cde6d7

SHA1
cbec588fb5a7aa8b8e364651ba8254c3ec0eabcb

SHA256
f7814f33b95c3de9c3c6099b1bfb0394c2fa7cb7a8e5dc3d57ef2e07f6614087

SHA512
5893bd8311776989188c137e4362a2b3a6dace85f28e9638276be6648f9d0716675eec2f510ffca875aa6a3a98d9e59fa8d5d3a4015eeb50c2ca982d0d2cfd7c

Download Submit
C:\Program Files\ByteDance\douyin\3.4.0\tray\resources\app.asar

Filesize
747KB

MD5
f1c4c54e4540386d2cbfb4ffb80abfb1

SHA1
f75805fa2fc0c52a7ee079a72e0a889429c24134

SHA256
4267527fd1bd0f48ef8de29798ddabe9e29c00ef957fd77f2be4f639cf87e4d7

SHA512
2c929723830c6fc3218b0630a7a7011201a8c9668771beed4430f78b20377f2ceab4c12ba3d143d8f9813c3fdf1adde63c3b7d34180bd05a3cd1ae0b866df75a

Download Submit
C:\Program Files\ByteDance\douyin\3.4.0\tray\resources\lynx\resource\lottie\xiaorenBye\images\img_5.png

Filesize
90KB

MD5
8aabb49710c45df420aa45656a1551cd

SHA1
c6ea9b20b98c48df55baedbcb58eb115b4ebd00a

SHA256
f16c8784903ef22bc8632f6bab4616706c5ce7cf7f4228a084effe515ed434cb

SHA512
42de1a07cef404ea644352b8d3457d0f0b2381ba4a2fedc774d354c53ab8f01c4c397886dbeca9439fb22fcafcdbb39f28b544337c73f992abd9259340de4e19

Download Submit
C:\Program Files\ByteDance\douyin\3.4.0\tray\resources\lynx\resource\lottie\xiaorenDragMove\images\img_10.png

Filesize
9KB

MD5
331cbae32e8e49eb44f41c3d81f0d903

SHA1
48db9d8dc749498e26f9d1f598961c9814617b42

SHA256
3731514e23cb9a6bf124e75446641225cb2299d25c2a44a3f9f85e6d100ab45a

SHA512
702bcf7157c9521e9833b4a9c173f781e6860b71a4ec3ddb6970c112a1f8a04c9949a9296d7d7d94102ee180ba5ab4f63e0c5ed22b0936a509d5d700b6445d89

Download Submit
C:\Program Files\ByteDance\douyin\3.4.0\tray\resources\lynx\resource\lottie\xiaorenDragMove\images\img_4.png

Filesize
79KB

MD5
f98802d1da2e601974ffd04b635b373a

SHA1
b1c9bfcd590bc1d51e3053c81617be2129dbb909

SHA256
5c776a5c8dc19621a4aeae6e8361833cf649d3fac972fab9c6f6cbe7e37c3caf

SHA512
b4deb20fe8ff69de1c60a1aac323a20b82f37ad7d7fc65c4b66d4254b05f606f8d93910e4a008063b27762a3a3f520a3ef6fbd571822075a4879360c05452654

Download Submit
C:\Program Files\ByteDance\douyin\3.4.0\tray\resources\lynx\resource\lottie\xiaorenDragMove\images\img_5.png

Filesize
6KB

MD5
b51e82f6100fd8ac550e085e9f58828f

SHA1
28ce7c91746fe4c8d23d40582d5cda5f2591069a

SHA256
a801e159bde1010e7178df6150bd50ce94e3b9790285f2cd1f491f64ba793479

SHA512
519a6b2ea7cdc91d2caff8f8f32b8cfd03bb19291da0d063400a3251df7712dcc6be6166016fc34daa59c3b01c463146405c175cdc628d213056f3056f1126e8

Download Submit
C:\Program Files\ByteDance\douyin\3.4.0\tray\resources\lynx\resource\lottie\xiaorenDragMove\images\img_6.png

Filesize
6KB

MD5
9b6771c05030211ff314111dd4b3f2aa

SHA1
0fa812cb13e650b17dcb8a3ae27e29b96a3d3494

SHA256
92ba6064ea85d3a910d1ed7f75ac931d10455f4b5333dd9e2624bd00b0cf18f7

SHA512
c09e8ca740d6e689473ac50f2eb36a5514d91adfefa7a700fce0268ab1608676a5d77e418491d4e7a036c3bb9ee83d9c9ff2d45e786c5b1bc6efb270e7fd5fb5

Download Submit
C:\Program Files\ByteDance\douyin\3.4.0\tray\resources\lynx\resource\lottie\xiaorenDragMove\images\img_7.png

Filesize
90KB

MD5
459bef4978140e52664cb9b764e47619

SHA1
b5b9efa6f58eb6871c157de6d4321247b79dbc10

SHA256
454e9d0c33e157434a05a0f6c46f9b8377e7a19b822e6347af54b69c9d3c7661

SHA512
3bafaa2e1144374ee413a9ffa7908061617e572e1d0379655cdfe753fe3bdd090fc2958c83062e123785c172f9b8dbf8ee958a34e7322efc566fc0c28cf19281

Download Submit
C:\Program Files\ByteDance\douyin\3.4.0\tray\resources\lynx\resource\lottie\xiaorenDragMove\images\img_9.png

Filesize
3KB

MD5
3f2ff6692a6309ac6f9197d09c9cbf60

SHA1
12302741cfb9f71d21b3e5bc6d971b04e24973a1

SHA256
60fe82e34051f7d21e334a87db46ae988a715b31d8fc7d31db237955fbf03676

SHA512
dc0adce7f363e195744044d77340ee0543f1d779560bfbce1e9c408018f6b38683c66ca5060640ba6ca3d2cf8cf9eaee9f6121b1693e2e1a82288511e87821be

Download Submit
C:\Program Files\ByteDance\douyin\3.4.0\tray\resources\lynx\resource\lottie\xiaorenDragStart\data.json

Filesize
620KB

MD5
d119779f19adcb2b585a0606488b5430

SHA1
f2ea896c41843ac9a917ca9c428e3dab6b3a3e89

SHA256
5dce938021576752db4533de2b589cbf51865abdca1210e551c497e06bc95b3d

SHA512
a82756043f56f2c107d30d916806793101806734ff24fbaf5cd6a5e9ce9fe5938a60460e679ff5e99e686b7790aa95361c040e315dbdfa4d7532bf796b131b3c

Download Submit
C:\Program Files\ByteDance\douyin\3.4.0\tray\resources\lynx\resource\lottie\xiaorenDragStart\images\img_0.png

Filesize
123KB

MD5
2b936fdcc4afb575983fda7ab0fb4e9a

SHA1
b4398ed4afd29d2424cb60466a00efac4ae2d894

SHA256
e6b42a4b3a42cdc182aea996a1b006c4041d2024b9503ef71320068b1b7f0789

SHA512
0546aa71d7fe4ff744214cc1afd3e61f8e920987de7ad2935542648f62e22f4f7edea8a9fc84f3a9c1dd598d25a2c514514643919831e92cf28b80446aa88f67

Download Submit
C:\Program Files\ByteDance\douyin\3.4.0\tray\resources\lynx\resource\lottie\xiaorenDragStart\images\img_1.png

Filesize
5KB

MD5
19c074af8d952c361b9d5e3631412c50

SHA1
3d8f3ccb929fe1d15d85863e4f025974c329940c

SHA256
f2fddf492a7a757eea66799481f1f9818b9b6c8139b23ad918d70558c7ae0c76

SHA512
8d055de7e39df8763a9291e7ad523374f9ae47f74ed47a0be6e047535c03b40d1d6b8c7e62b1f2da0ec4616f52db2b64fd926b0a42f280698dc3a1585d891ced

Download Submit
C:\Program Files\ByteDance\douyin\3.4.0\tray\resources\lynx\resource\lottie\xiaorenDragStart\images\img_2.png

Filesize
7KB

MD5
5befbe62c4696758233fed189134863c

SHA1
a48f39b4b32975d9c56325ef7897933dd62166d1

SHA256
17606019c999170a316196aaa74c1e3c374dddaf0089d35d74eef1ed6912d278

SHA512
d43e4e34d8cdca388b62160d97c2b6657b663871f0255c57a3a3262d78bee12adb9e58b3a4eb8556b21d9b174a619db479fadfc3aa5eaeb321d085ba00ac8065

Download Submit
C:\Program Files\ByteDance\douyin\3.4.0\tray\resources\lynx\resource\lottie\xiaorenGuideClose\data.json

Filesize
296KB

MD5
c0570e0d6546e031e185b2e9760a8b19

SHA1
4619a182e1f21ffedb9072cd8c8adc582ec8fe76

SHA256
6aeaecc50d74cebac20df524166365826d52f6aabac71a9d657551cf8f89593c

SHA512
2267767c0d6c97ea2b3b6d4890efeec3d94cb39881e782780792699b7c0205577a3d15a5a9665e4bc05cddd79795d9c50d71d0ce29fd1d7bedaaf1f22e56f11b

Download Submit
C:\Program Files\ByteDance\douyin\3.4.0\tray\resources\lynx\resource\lottie\xiaorenGuideClose\images\img_1.png

Filesize
5KB

MD5
f33676ff2e197be93c84c49614a717d9

SHA1
c7ab503148f345a1bb39fb75689b958456158e8d

SHA256
8b3a8b770fd8f6f5ca92d5397a42aca88f6ae1f6adf96abd5a64e58c7ca75d50

SHA512
575434bb00b743a6a8f5f7543a4465e2aa750a24e9ca62093fddb75a41354c8ff14302f4ba00dfc72c265e1e721a08498da2d282c7a825ec803cd3866603697d

Download Submit
C:\Program Files\ByteDance\douyin\3.4.0\tray\resources\lynx\resource\lottie\xiaorenMenuHideBody\data.json

Filesize
400KB

MD5
3a4bf15ffa258d8840700418eb2649dd

SHA1
a42a46114ee7a5a8631649db32156cb54673299f

SHA256
48066f9d4c2c2a40f26c11700f38526e00b86dfa653e0279fb72634cc7f473f5

SHA512
164212fdb8f549f7358731aca027d95d1bbef3c350b352638a5a7466671fb40fbb2bb0d38b11bf963b6dcb597320f2902036696f4a7920f56933fb6706d71ebc

Download Submit
C:\Program Files\ByteDance\douyin\3.4.0\tray\resources\lynx\resource\lottie\xiaorenMenuHideHand\data.json

Filesize
75KB

MD5
8a6adf7f8e3da9c463f8e4ca0a967f4d

SHA1
4a120441eea399c890b780d8bd71875bc2e203dc

SHA256
e89660a2c93346fa97be9598d84ff469893aa767fb09d8f370d28c5a5579b7c3

SHA512
2122cc215d0f8c6556617f2903e16ea0dbf9f29a75f2f41ddd8cc8df6dc966a415ab2f933344fb277adf69167e11d29ae1314d26c208bc87870db859fd7dd958

Download Submit
C:\Program Files\ByteDance\douyin\3.4.0\tray\resources\lynx\resource\lottie\xiaorenMenuHideHand\images\img_0.png

Filesize
32KB

MD5
6ef8736361160cf10daab38bbc4edef7

SHA1
e9e0544e2066019959d30acf6de24aa223591004

SHA256
1c062ee1b47c063083c21a7231339a57b188eebeb6e1585a1cfd26be1edc6582

SHA512
25cbeac73e6dd74d0943fe1fbc50f1b359bea02d31fedd938a389eca12b4e84d588bce5de66498f7b3a790c894a6995a51adbd0ac9608c8e4726bac603fb8569

Download Submit
C:\Program Files\ByteDance\douyin\3.4.0\tray\resources\lynx\resource\lottie\xiaorenMenuHideHand\images\img_1.png

Filesize
5KB

MD5
723dfd3112b7009df2844c9087f501aa

SHA1
d7b1ddf0fc744e35b686fe8a97ed59169837d902

SHA256
06a2b1c282d050031220b1f0f435eef9d57294649bfb6001cb64799193178afb

SHA512
2555baa7b87651824a8d92c713c632f8e87a338602a70154601d0d0b362aca0b69faad02a714cb0c1171f6806db6018f20d8a325d49a86b88d9d4629006e954d

Download Submit
C:\Program Files\ByteDance\douyin\3.4.0\tray\resources\lynx\resource\lottie\xiaorenMenuShowBody\images\img_1.png

Filesize
113KB

MD5
ed05f14715ead03fc0496741e276dbce

SHA1
28ca239bba852784767680804b92565da61e068f

SHA256
9331414fb1c1444a6b3d8bfb0e09871b4adaf0de3118196c4b42d2ba2071f590

SHA512
0056664adc5a9bd4365e6f173a8de20b08cb7d0a43357e053109b824309f85fbc93661314ed7c79fe6efa1d1247185648ad6ee3b4b5ab57f1e316d8cad4054b1

Download Submit
C:\Program Files\ByteDance\douyin\3.4.0\tray\settings\330274222\pft_3.4.0_\pft_\ddc1ba81d1549879872a73eb9b1f6811.pftconfig

Filesize
1KB

MD5
df1f93fac1ca0bc48b146eb0ed346a21

SHA1
77540975129a6e2cd1a691edf66342e0b7b1b0c3

SHA256
3c9c43d889af1f87532657add008f32cbae5250e7f12e5e27914861a58e54802

SHA512
eb0305e3e59acab4a8f6419946384a16abc432813bf1c507dec4d67602933b11c0fc76c55713b43b3af22188d0ba5502b9d9999a628306215d786203a2ec7863

Download Submit
C:\Program Files\ByteDance\douyin\3.4.0\tray\sscronet.dll

Filesize
4.4MB

MD5
74078d8280e1db50cee9bc1268fad4ab

SHA1
c15ac501f19e9cbbe9de57950b0cfd53fc213fd5

SHA256
9c93d0eadd6d06c7782192a9db07c30f8e402868cfc5f9bec496cbf916afdff9

SHA512
6bd7ede22606dd2f0929c6f3d5e9d0708a1735785a5a9439849cdf1082906c9df5d707b1d762aa5417a9bda94ab8083c890490b74fc5de1d71ecc953ba504391

Download Submit
C:\Program Files\ByteDance\douyin\3.4.0\tray\tt_crash_reporter_config.dat

Filesize
224B

MD5
b0c9e11bfda8130deef912f3c51b4248

SHA1
beb0c1f9f81e201fb6239d40c6cb31a8e53d07b9

SHA256
16934ed21e296793e24043f31a583defd31acb2d78351ce64f30be7c100cd2cb

SHA512
3b26703071c0984322757386abe9692d6138ffee063e9440b2fb28ede720ee952bb433703e4ff29afb49f5b90aceeb0023d962609624389674f3f2ab3ae1e617

Download Submit
C:\Program Files\ByteDance\douyin\3.4.0\tray\tt_electron_config.json

Filesize
432B

MD5
531e58c878fd27ffbac5f121b702bd80

SHA1
b45339d5f679ba02a5bb9b604ef9da0a63bbdd69

SHA256
ae6e032b34ef01b0a7b2ff561468eac2c1bb8312b16bd3044a3e83ba59fe70e1

SHA512
08317615e9e59a0bc03ce16cf72c9a84523c15eac6f541f11c60d4db1ed8dc2749594d1c88bc08950ea4cc8dc7a21f388b31714e5bb316358d46637971816562

Download Submit
C:\Program Files\ByteDance\douyin\3.4.0\tray\vk_swiftshader_icd.json

Filesize
106B

MD5
8642dd3a87e2de6e991fae08458e302b

SHA1
9c06735c31cec00600fd763a92f8112d085bd12a

SHA256
32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9

SHA512
f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

Download Submit
C:\Program Files\ByteDance\douyin\3.4.0\tt_crash_reporter_config.dat

Filesize
288B

MD5
fd73667b62f908f954727318e35c18f9

SHA1
663ff533f20f681779e65081600632b9a31e0929

SHA256
0bc1dec63a77b7ac54e459def4992347fd69f14cdccd966e0ae96a8e5c708568

SHA512
ce4332a33fa7f2cf23914022c643e276a431f5a7efee8665801998a6e6f1cfe967a3267b82d298538b22b80f1fa752dd903af1e6cbb6e43dcd366918e8991adc

Download Submit
C:\Program Files\ByteDance\douyin\3.4.0\uninst.exe

Filesize
1.5MB

MD5
c42929b97220a7ba062a9080f767f8ab

SHA1
92525b1ff774bade121582bbc1e7ed82c365ad3f

SHA256
f6563b08a70eddc2efc60a6f4a4dfa6c75f5098c73b9d668fdba24d46c9853d8

SHA512
09a96bee30c25eb77aea2c5535f248264511a2479c6c7be3ce62999160cc76ec634bc7490f4c191eab04d8ad1c0f1e6ce79f9a6e57ff98593eadb1277c1c7dcc

Download Submit
C:\Program Files\ByteDance\douyin\douyin_launcher.exe

Filesize
4.4MB

MD5
332e5f8b1ad296b2d797b50044708209

SHA1
11ce77b8c37a67cb9ccdf6ef9dcee2b1840a628d

SHA256
17f6f4c88a5e23f4656f7ed803b1f3d5c0d32415dfb3b987e825d0f29631e0c8

SHA512
d27ed29647ef1b0dd91ec8d787a974de873a2032fb3e643cbad8a094019042f6800492313f7e550074ec7dfc3e64271b3baad979378d1ae799695efb132630fe

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\抖音.lnk

Filesize
1KB

MD5
be1efe85cbff35b566043cd25b09bb66

SHA1
d78ef8018de2823623e36236942e8e9d5a2f389b

SHA256
03157b6332b67719a9c0b9b8d68cc2417ccd6f1091949509a23d28e5750125df

SHA512
261c64922c49fd0c787134600fc6fe3bc6d33b5e43141b4fc54ecf5bda49efbea2edb08b720f792c375210229d5fefc0ba47a02c6635dfaa85982eb349f38b73

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\抖音.lnk~RFe5c3c45.TMP

Filesize
1KB

MD5
0fa04fdd18069950acb01018e96bf297

SHA1
8f6deab8d855debb51799ac16ed395a6de5592a6

SHA256
53372b94254262585c5cd0d7cab43215b86cb59e18ba143a6ed74ee7e2a5f974

SHA512
c3632d63f59d211b3f044e9b91b36a8c9dc7b66d1065824759c608867169e25ab782d0bfff6be6e6d10fbc0cd3dc6fe1a9ec29f2c8e6706ce5ad1e957b4f9b06

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsuC535.tmp\ApplicationID.dll

Filesize
210KB

MD5
117a317292e4c99d299767e297407569

SHA1
819c158109c672c14188ed4bd72a98850eed3b24

SHA256
69a57333eaa40bd0135808a11832ecaf819701aae975746fac0b43ff839bbb58

SHA512
6f6998132594d20fb7a4ea36ced2d8b505b1b2bf24ae5013da302b0eec2d1997a1200785afbcfd1f39931e22b4e1dafd63b39e90aa695f62f32f9b438386f25c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsuC535.tmp\BgWorker.dll

Filesize
14KB

MD5
98edeacc6252d96f56619adc79c3dc5b

SHA1
4e3960cd1ab1b1dc3511765bd58fb0a6bb478ed5

SHA256
ab419e15600a0b29dd17075ac3abddd8139138ddaca81018e7d94080a294eb29

SHA512
368c65d7a160b72203ab9be8064e02406ae20894041dd1a8a8329e8dbbc5e88c6dac7931d2e77c504e9675f34011e67ffdc6306dc42c7be573466a276772f76e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsuC535.tmp\StdUtils.dll

Filesize
111KB

MD5
c72093a5c0363a9f1c6089d3dd70fb67

SHA1
f9259b962d7cad67f18a2daebd3eb24975d2ed65

SHA256
f287713d205565eac988971953caf0423301479adcd8f3ec8834d97b962aa4e3

SHA512
6c28ed10e7bf8b4021fae0037a112c18023642a5334997e6ded2bb40fa0cb64f8576e3e478909996fbd5d50e782fad1fdc16cbe0bb6e217fe76066c0c8c99da4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsuC535.tmp\System.dll

Filesize
23KB

MD5
3f73ddf59ee105988f456eb6500db072

SHA1
6fb46aeb99d16b43975af06697d20677e36f24c4

SHA256
25a972652d1ca4804b9ef0d11c9bcc957000c9a5436260c785de685b67547a9c

SHA512
339bd43e0d30cb479f111c2561fd7553b8a667eacbd538cec7a5e8946002a086b074ec26566d2dc7db6e9949f56211526ea9b0c1680c9979630891eba1892ddd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsuC535.tmp\ThreadTimer.dll

Filesize
14KB

MD5
0b4530ddbb860a481f17958f4cccff44

SHA1
2c4a719d1e1c24246f2db2de1ffe90077cad499a

SHA256
e7760664e73feb1b0cf8c8059c4c902f6285f290a4f044e1240be3458e22c116

SHA512
c7deaac5e6c44c82fc37993441ef43f517fa45ade315b81bea3d6ab6b878b7ecedd81e45fbfd771fbc35597df39cc7047ca401c0b2d9134914a8fe8c80f53e48

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsuC535.tmp\downloader_nsis_plugin.dll

Filesize
2.1MB

MD5
ff1a26d4563ff3f62adc5be03a9724e3

SHA1
a3cb54f6760d81009017bc0253d0cfd60c77a682

SHA256
99d2f0943ea829e9b713248be55d05b2d5a30f221505d002ee162fb1080f112a

SHA512
a37efcfaeca8e9b559ee6754ae05214cef6c1402f23d5406880e28d984877da9fe8418caebc8831d95557308f59bbb617eed7c1b6d1bbff768a38e02fc55b648

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsuC535.tmp\nsProcess.dll

Filesize
16KB

MD5
1276e1b8d205326ed1cb73eaf624147c

SHA1
cb69520a7943b364773ada21e00ea581c12bc97b

SHA256
5dcdd16e4476b7e95e501688b790bcf58e900e5ff348b01df75a9ea375d3b344

SHA512
e7dfd25ad9b846bd090321a20c489168d01516dd401eca136f0436ddcb0261bc0d90c78f97b4dacba11de806ef6a53f00e771d9dd28ea98e15ab9513afb4bec7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsuC535.tmp\nsis7z.dll

Filesize
435KB

MD5
31b1cab2405be18c453b558cb750810d

SHA1
a1b981f52718f598f080c963d567861a09f68e48

SHA256
a043c7ec9aeb8368d10861aad3d611e2a993e645701c2c261abcc3050769d918

SHA512
e20a5998ea0644ccbd88d373964b5ce7209e00360443d0dbebd09c4591a8162e51a32071fe7eb6c497f8c6a69c90971db1227476a87a7760f0207ff065a9779b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsuC535.tmp\shell_downloader.dll

Filesize
2.2MB

MD5
5abce3517584cb3a88eec273b3c4e8c0

SHA1
2a98dd5ade7957376b7f8139eb31f0eccaaa3711

SHA256
db01847e819ff43f810bb3cd91690d3ca580be2fa4b92593b25863acc6700ea5

SHA512
1fa58e6a9a171c5514f1dbe998da84649404357c2fd2a36ec28b65483536beb153d01aa36c242da6aed7ba1746460a0bf3cd1ee05a579012ff19a23efbfb8e62

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\douyin\Gecko\resources\725838fa3b7f65f78b71e41d511c3857\offline_page\457568679\res\resource\async\pages-Hashtag-id-index-tsx.812afaca.css

Filesize
113KB

MD5
5251ab32369ec046fa6aac517173c3c2

SHA1
ab73b9071688df4bdda41b30f5c6d28a70dc468b

SHA256
49f6da88d4222fdf4a17ad2aad8a4de0261e6fc925b77fa07bb1f4a19fc49a10

SHA512
0eab4f8f9a977c474c63bfa7a8a3329101cf2ed6f10fe6ffacbf44767eabf34de3851e9932742e5a4ede21e2046a36a53bbd4a767f42bef3a979e56debfc638e

Download Submit
C:\Users\Admin\AppData\Roaming\douyin\Gecko\resources\725838fa3b7f65f78b71e41d511c3857\offline_page\457568679\res\resource\async\pages-Hot-detail-id-tsx.8f57a52f.css

Filesize
24KB

MD5
ff0a2062053b4623e1ef9f9be5b341ef

SHA1
073aae404e89caf953e22b5dfeda64fa5b4afd8a

SHA256
0e3985619ed30da8684b624c5986750acda1bfa977685f3f29ed4f117573f41d

SHA512
28bb8fc2e6d4cd3d26c617b0a66b1c0d8ce053aea033fc4dc772d41261b24b568b57d68e6759066fa0871463d59930ac7c1d5860673bc04d1496a01dfbcd3917

Download Submit
C:\Users\Admin\AppData\Roaming\douyin\Network\661066af-1f1e-48f4-9e73-e961c07d4f91.tmp

Filesize
203B

MD5
371abfb419c23b4c6f5040c6f055b74f

SHA1
10e43df7d0bf744d3ddc9ed1e978ce62919d475b

SHA256
3e07c98b2430b038922521e63924e81ae6c868e3e7aa37c5b782ad604e5b1b32

SHA512
ad3552376ccfdf2539464d2a0c11b98ad05ed17eb846ff70470595313f5ff719251868868ac960d4db511807138137449d63c33249614263c09d48885c1b28b0

Download Submit
C:\Users\Admin\AppData\Roaming\douyin\Network\Network Persistent State

Filesize
458B

MD5
ab2828da4491ea411901e5fe72246105

SHA1
8dea515cf3ca5b85cbdac823ef1532a83a3b7596

SHA256
1ebfc4d9b16ac70d7bcb5e255c32da39547700a0c2e89054bfca8ce868b1f68e

SHA512
a37d46a968ebd8d3cac47ea16560895aff76fa268bfcd8224effad864e3d0021a8eb3e6bc108062b4efb81859f15a4ceb15fadef207b6e6a3dffc3d7530ce5f5

Download Submit
C:\Users\Admin\AppData\Roaming\douyin\Network\Network Persistent State

Filesize
367B

MD5
f3dc20ca85aa4a2f858b7032924a0751

SHA1
57ca0b218c35a312061a5e1f4df10f6ad8570f3d

SHA256
c7b0bc42b7563ece7f88dcbbe897bba530b619dc2b81356da3df82b3cfc452a4

SHA512
74f17f65069836652e4947cfb449eef62893dfd865b8d38b0d9acb378d9034af1c5167c1e04eda5a94c0857fe3eb4c0217823dc7a8c1490438dd24d7406080a8

Download Submit
C:\Users\Admin\AppData\Roaming\douyin\Network\Network Persistent State

Filesize
458B

MD5
600300b2910ed6f8d6fa3ef5d9a0c6aa

SHA1
f2e2a9c1bd8392b7d798464e25a4d53c3e1cb58c

SHA256
55391fbe3a089d566f77e0797640862efaff55aedc5315937fa5013d14f5cfd0

SHA512
c294479220f2e65652df9f415593a0923d849cc711e15873d403b970c82650a38d1b4a46595d271f7c168ce7eb3823965ecd1d9c3483f20a98ab051aaa68e519

Download Submit
C:\Users\Admin\AppData\Roaming\douyin\Network\Network Persistent State~RFe5d909a.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Roaming\douyin\Network\TransportSecurity

Filesize
203B

MD5
4cf5374548a0ed9fc6533171985f8333

SHA1
270f4f415eafc1907bb0c9f5abb8ec18e1e17bb3

SHA256
46c6d044ca3554d1d0512b01d58c0bdd178c86610ecedf16fa70161740db6562

SHA512
0fd2140b449c72c252a5ff2090f4f2b994af285d2b4d513e01b94238c2f54f0a7fcd6048c56b52f61ba50f635914770fbb496237e36703bcdb9cdb3afc0650aa

Download Submit
C:\Users\Admin\AppData\Roaming\douyin\Network\TransportSecurity~RFe65db1a.TMP

Filesize
203B

MD5
34174ba29b219d145a23060f9b8ec4ab

SHA1
f0ad5e63399e3d5addac054ebb6947fd5039478c

SHA256
c9a685ac11f1a29b499c3f39250a9aba333ea1e292c4e4b0976bcc8e5ae2db5c

SHA512
ae81e8994aff3bb7d0c4e92b76452a944e1fe266714357b2472a55ef975757d10f74d2194883a365a760a7aadeca4a87ee4270a27858adeb5b620edd80958a9f

Download Submit
C:\Users\Admin\AppData\Roaming\douyin\TTNetCache\tt_net_config.config

Filesize
680B

MD5
c3aa1709d179a3354b7b30d86035b9d1

SHA1
5b332e31847e7c30222d1c80b6c5f9bb1d08cd3e

SHA256
2c05d3acbaffa7034a5d89a0481af0b987e6e1f5388faffb1f72c6ce5ef1164f

SHA512
98af3ce14e091f4008c856d858f62b927a3423587dd17124d09ffc4927afbb4aed79ac19e133b0ab8c8476237aea79e9d6f331cb1830e43ac0a076dc0dc89f1c

Download Submit
C:\Users\Admin\AppData\Roaming\douyin\dyStore\APP.json

Filesize
23B

MD5
741a38700f485f493c59505e3b1f13b7

SHA1
c818a2e0df833c242144e9a5b5bb1f95c32dd215

SHA256
7dd426b931198d3e30aac9db0d670a2bbee2737cd17c9056e9f87e8bcb6459cf

SHA512
027c08700de5c5fc9995904412f6ca49741a64a684f8100da37b42e6f346688e70d1ef39de3aacbc4a1d1f609019114b2b971827e356c5660f7e35fd1b986834

Download Submit
C:\Users\Admin\AppData\Roaming\douyin\dyStore\APP.json.tmp-3728322651dd27b9

Filesize
44B

MD5
3290e4fb57168ea3578c0f2b17aeed81

SHA1
7523d4f064fe4c8795cddcd0114d801de8ff72db

SHA256
ca171c25d07bb60d62d7823283644c78d26a4796cda59b2b6644123347a8caa4

SHA512
e04ed7a0d51266ab8bfe28ca598938c46fd8174e6b1fe124d270265e0908125e617ea22b237bb78ff7b0a07e15906939a053672db9345e552f41528649cac28d

Download Submit
C:\Users\Admin\AppData\Roaming\douyin\dyStore\APP.json.tmp-3728322927d65bed

Filesize
74B

MD5
245520f3be3d64d75ea162dd555023aa

SHA1
5bded1310bb17a4157364d7df3c6316b113f216e

SHA256
b7502441991c3dc02c0724cc5b119c5a7896208d0cc812c09c4a389ca96be748

SHA512
ab7ed8506702cbc9ceafe0b63c7421b89d04ef2a7e09b79f497ee1d9bd172f4f916971298a41bb5ed34b457732f6b3ed99f5612f988332dd60aea9f812830755

Download Submit
C:\Users\Admin\AppData\Roaming\douyin\launch_info\3896-launch_info.json

Filesize
318B

MD5
e386d8393431f17440d56816718d2697

SHA1
52151fc2941819b80d00cc5c1891dca17f21895a

SHA256
94026b296fd8e80eb7a286012853dee2640bb55182f8e0ba1628b7448dcacc35

SHA512
a14c720f61b4fdcf4b5dcb98f345359fcb96af008047417b368eb32726c580393b89635207c20418e32db7eee948c20a83cdff613816f40c985e47ce24d253e3

Download Submit
C:\Users\Admin\AppData\Roaming\douyin\native_config

Filesize
1KB

MD5
82b2df146872794c24abc9200d4d5e3d

SHA1
4d54cf256c30ac68c2d59f5c25fc26254610d0a4

SHA256
80f559a325d6622bf30c6f1df72ee76dafa61796413c7f180980efa432b0d16e

SHA512
8521be3a5a6bce71be70ce4f18f024d2f943a6464840f0dce5bdc269e321719d5ab9abb91b996bdc13e0226b23f141745f6dd9891faa65ce2174d51ca6ed631e

Download Submit
C:\Users\Admin\AppData\Roaming\douyin\native_config~RFe5c8257.TMP

Filesize
488B

MD5
059f85e6757664875f2f4113430dfc73

SHA1
5eaabd874f580cca3347eb071155f0955bc83868

SHA256
8b2626b84510b44938d87640c81278cca618e8570175493529c4537d7094dafb

SHA512
b071bd5e4cb0cbc32e14f8318131996ea969bada359e648e97025fb34113f4339fc3209a18c18e36f0a84ebe102104052e9594be3ae4f466cb31d556015f86b1

Download Submit
C:\Users\Admin\AppData\Roaming\douyin\tray_setting.json

Filesize
394B

MD5
8a19b6b25ab49cdda63ea603a17c3770

SHA1
e31728544e231d0b93d7846c93289031ee3cfbbc

SHA256
f2e7d25fb682f7d1248b713ec15e7e5db9cb6d1dd04431775999da9678c3bf76

SHA512
04331d613d87ddc108d533342cca116e21989c14c4a9e35bed7762ceef61c42cc184bb4ad8e1c92b3ebaf125e13869e71f920baa1a74b24473f334b2969b8751

Download Submit
C:\Users\Admin\AppData\Roaming\douyin\tt_crash_reporter_config.dat

Filesize
5KB

MD5
f74295342b9dd11a89645dd6609bf7cb

SHA1
5376ff7bd2e44ca48081a304a67626bc17968962

SHA256
258991ecb71a336c77b07d5695810dee2ac205d4d965b6b9f324917429cadab5

SHA512
c58917e32f9070ec56e5e6771a5aef3fbfbedc4bb5efba9ee12e87aa432dc3a8c536b412fa9e30b8cd46cbfedc9b2ba5bca7b03af675be9d9c919d4c08f2c572

Download Submit
C:\Users\Admin\AppData\Roaming\douyin_widget\widget-logger.json

Filesize
70KB

MD5
7bdaf1c68821b15b9faf1af09785b77d

SHA1
a4e0694210f2fa0302ee9165bd0119a1e8f3e962

SHA256
e2390eee0cb1e11dfb6c370739bf3bb15a88fac8f3878284f40aebf8b7d5558a

SHA512
507edc9053d64db57a20f19921ce5c64a53b43cc61d94fd90483bff426c54376a3e8613e8a66854bc10ad56382ca2c6a63dcd474a6c5c5b5b45b71727c77cdf8

Download Submit
C:\Users\Admin\Desktop\抖音.lnk

Filesize
1KB

MD5
4c15ebfd1317a08eece238b2fc4863a1

SHA1
75d36aacafe8ae76a4aa9349232c756d1852b337

SHA256
21547dfc5f346e26d58a7f833c494492014d2ba095bdc52041b9e1fb7701220e

SHA512
6922a5d5100606c01da983214826e99a9faa276bb88ef81df765366137bcb1c66149058b5242516ab252a9dafa26e7b0fea40015835f1027b94776cd84b78caa

Download Submit
C:\Users\Admin\Desktop\抖音.lnk~RFe5c3c45.TMP

Filesize
1KB

MD5
d71d74723b99e16a105788508b0d5a00

SHA1
71aa671fba151b27ebc22c590dd715e08f4c2ca0

SHA256
ba7424d80cbe9dcc6c931caeceda279acfca737b7bc4c07df257b2bdd9f93f18

SHA512
7518e0919b015453de29deb2f98b7fb71a7aca9d8d2b8d679b52dc8b565c286e78a2f6498e0dacdf2c859a61db32d2490d5d5fa661da658ab6d87129516ef2cf

Download Submit
memory/544-1759-0x000000000E590000-0x000000000E591000-memory.dmp

Filesize
4KB

Download
memory/544-1763-0x000000000E590000-0x000000000E591000-memory.dmp

Filesize
4KB

Download
memory/544-1761-0x000000000E590000-0x000000000E591000-memory.dmp

Filesize
4KB

Download
memory/544-1762-0x000000000E590000-0x000000000E591000-memory.dmp

Filesize
4KB

Download
memory/544-1757-0x000000000E590000-0x000000000E591000-memory.dmp

Filesize
4KB

Download
memory/544-1758-0x000000000E590000-0x000000000E591000-memory.dmp

Filesize
4KB

Download
memory/544-1760-0x000000000E590000-0x000000000E591000-memory.dmp

Filesize
4KB

Download
memory/544-1753-0x000000000E590000-0x000000000E591000-memory.dmp

Filesize
4KB

Download
memory/544-1752-0x000000000E590000-0x000000000E591000-memory.dmp

Filesize
4KB

Download
memory/544-1751-0x000000000E590000-0x000000000E591000-memory.dmp

Filesize
4KB

Download