Multi-License Discount Quote

Change Region

English
Threat Database Potentially Unwanted Programs Beautify Desktop Wallpaper

Beautify Desktop Wallpaper

By GoldSparrow in Potentially Unwanted Programs

Threat Scorecard

Popularity Rank: 441
Threat Level: 90 % (High)
Infected Computers: 971,946
First Seen: May 8, 2017
Last Seen: April 17, 2026
OS(es) Affected: Windows

Users who are experiencing the rotation and changes of their desktop wallpapers by an application named Beautify Desktop Wallpaper may want to know that Beautify Desktop Wallpaper is associated with adware and Potentially Unwanted Programs (PUPs). The Beautify Desktop Wallpaper serves as a gateway to connections with various websites that may share information about your machine and get instructions from its developers. When Beautify Desktop Wallpaper is running on an affected computer, it may connect to the sites https://servicehost.cf, https://svc-host.net, https://nvda.cf, https://svc-host.net,https://moz-update.cf and https://ms-dev.cf. The Beautify Desktop Wallpaper is not considered as harmful, but the applications and websites linked to it may slow down your computer and display unwanted advertisements.

If you have Beautify Desktop Wallpaper installed on your computer and want to know where it come from, there is a tactic called bundling that may be used by adware, PUPs and browser hijackers to get access to a computer when the computer users don't pay attention to what they are allowing to be installed on their machines. Also, computer users may install Beautify Desktop Wallpaper on their computers due to the beautiful women photos it shows as their wallpapers. No matter how Beautify Desktop Wallpaper entered your machine, if you want to remove it, security analysts advise users to incorporate a trustworthy anti-malware application on their systems to eradicate Beautify Desktop Wallpaper and its related content from their machines.

Analysis Report

General information

Family Name: HEUR.Trojan.Injector.Win32.Generic
Signature status: No Signature

Known Samples

MD5: c162ceec7360982e47abc2ed72d8e6df
SHA1: e30ab7de934f7a7c9d5bae193f71cb8f63fe5cb9
File Size: 1.82 MB, 1820672 bytes
MD5: e11e78fc2219709cae13da0978ee0b87
SHA1: 9328af0807f6edc7d3f04abe73da1039cecf6209
SHA256: 05F9AB7651EE1B4D3AFFB20ECFA3DE6A75936668C863B5CF51CC977DFDCF0907
File Size: 595.37 KB, 595372 bytes
MD5: 3f21afbacecfca17d563c3f8e0f1aaf4
SHA1: b2686cc7021c8eb1702391f53b4a628e2b05472a
SHA256: 2FD813006AF428FBE674A70D47EDD48B3C40CD1B99CD572287D76049DDB54679
File Size: 14.34 KB, 14336 bytes
MD5: a00dcd62f7d645db67c26d8a06040153
SHA1: 146995082736ff6bf0153105beca78a4a940fca6
SHA256: 69595189A96C0BAF98CF7B67B99CB142AEB19AD97653B1E5991AF8CADBA1FFB3
File Size: 830.46 KB, 830464 bytes
MD5: 2c9bea005f8cc4ec27e7365d55269f32
SHA1: 5b75fef9e2cccaf0d3945b42e2fb4b5dac2263db
SHA256: 38BDA6B8E0418951D1D25F2F989ED888F68255441074838590BA363FD6B14E81
File Size: 2.89 MB, 2890752 bytes
Show More
MD5: d82a4e03f7079c2cb44a448c01ff3798
SHA1: 861bbf9daaffd47924c6fedd9450b102e71face8
SHA256: E9C6BF97A854D8FE9877752B6E8A32095E8EEE351BF4901DE4AECCF89B591F42
File Size: 40.45 KB, 40448 bytes
MD5: 4c1c7a670eb658dabaf549486b08405b
SHA1: 9ddf989c83b22fc3d87c36272c8a75a18efa5e92
SHA256: 07D4A8A85274031C9DCFECC6890674CF104895554D8D469538ACE1F0FC24561F
File Size: 8.22 MB, 8224256 bytes
MD5: e2906a4adcb71477f05a990ab7d25b0b
SHA1: b47574927c6596fbb3fda9a449b14ace3d9248b6
SHA256: A3A25296E4F20233C3DC906B8927166F734AEFE5D628E5385376E9FD16C7C625
File Size: 412.16 KB, 412160 bytes
MD5: 3a4ef5857aa67f84270848a2fa371438
SHA1: 78e51882b31365aa59476489a0adb3eeb77e75b0
SHA256: 1D0A1D1775DB8BD64E1DA9157227B31334B4A536E8B0CA8D6F29AE69A015D076
File Size: 7.72 MB, 7718400 bytes
MD5: 6f7b7df5ee680c90b21cb9c95538e9f4
SHA1: 41af2d495c57134d0a71ddb70210e984db99bdd2
SHA256: AECE45230390E582EBC77A525CF6741C60A8D7EBEC04AB8CCC9879802466E97D
File Size: 7.70 MB, 7704576 bytes
MD5: f0bb4dc4f2a723e0a6c325d10b392647
SHA1: b0d8751ee635014e1d3a389c499cfd39c4b5edb7
SHA256: 640013639C2E230F87D09A48804A6BA9AD25CEBC8EB81F3035696351157953AC
File Size: 6.57 MB, 6566912 bytes
MD5: f8f8e91f3340c358f8804a8330947487
SHA1: 689613f63aec935fa506efea8c6a140a6de03526
SHA256: 19E17B0404F62F472C99FFE7847C928657CBF325FA712F865A923A22C3B24B15
File Size: 6.36 MB, 6362112 bytes
MD5: 5ddb83360d535494fa9b818d10808299
SHA1: 31812427f84c898007c9ead07b2664bfb422a6f0
SHA256: 1C5AB27DD95EB87B4EEC879DBDFD4E41479C388EDEC0B78F387B3D48C5B84382
File Size: 6.36 MB, 6362112 bytes
MD5: 0485936ac8fe9193612dd4b338926a99
SHA1: 4a534c6436fcd7ebfc7b2d8f9e8fff3c74af2057
SHA256: 821729352B2D38BD5B6691423F0D61745E24DA1E93CF119E22F2B00966AB0C1F
File Size: 7.73 MB, 7734272 bytes
MD5: ed48cf5cfb19aa9a48fc11cc73077def
SHA1: 8c325429c97f95d3631f3040b72d1354af749b5b
SHA256: C463A9949C80559EE5B52EE71C9B47DE1259D01B578621E58A132AC408F2AB41
File Size: 6.36 MB, 6362112 bytes
MD5: 67a754ee8b8c21000a2fcc5bf97ef68d
SHA1: fb913be5af525f789db1edcbb805866d82ac517f
SHA256: 247BACA9B6B9E66822E882903A0C4EFE1FFF45D19DD9C826A61AB78F8FF2E1DC
File Size: 6.36 MB, 6362112 bytes
MD5: dd733b1778cde328c0b07a78d26cfffe
SHA1: 59cf9c783025f4f16319e859931ed83f476395ca
SHA256: 50B0102916F89FEE983CACE99249EFDA8C078D291FD3BCE821076CAA50123F1F
File Size: 6.57 MB, 6566912 bytes
MD5: 8d91e6dba4b4c09cfa54d68bd82f4539
SHA1: 8c664eb0ccb13c4f901feea3078b26c4d74154d2
SHA256: AE2D725F14DABD90B370646BEBF2270C8EAE10D0F16B57A76C29BA7652E96B6E
File Size: 6.36 MB, 6362112 bytes
MD5: d691fb129a021dfe2dd08629da39f211
SHA1: fee07330b6b2343524cb1388373eaa7723258516
SHA256: 5921FCA3A7698B98B2605E22D85A3D1DD212E2CCC3D2AA409D8E5CA7B61BCFAA
File Size: 6.36 MB, 6362112 bytes
MD5: eb8838bf209f0c197f61823713b93824
SHA1: 78699ba985856227214fc6ddd2e365e3371a9413
SHA256: A95D22C032C9E41235DE0E356741E8BAD8B59D3B99C3DB372AD101A8D63AA19A
File Size: 6.57 MB, 6566912 bytes
MD5: 1eb63e4910c22de489578983b6cb6a2b
SHA1: e1bb30bd93fda792846ad9de8151a145fdb60af6
SHA256: A85DF110C5C2B86C4885030ABCB2E0AE784615CEADC41BBA8BF1B6C1FBECB6EF
File Size: 6.36 MB, 6362112 bytes
MD5: 19691be3cc8ee2d6ff1625e605d0858a
SHA1: eec78c134bbcbc4bd9edecd7d5713bdeb275f2a3
SHA256: 99CC2B1484CED815BED8C12812F45837FD3D29210F3A6C0A5EFE8DC68A93CD24
File Size: 295.94 KB, 295936 bytes
MD5: 79ef01217aa0f19dbf5f6a0314dc47f1
SHA1: a5e65f56c9f402a0faa6343bc66ea95794430379
SHA256: 3CB3A7EC1432B1C6814B93EE5C30E34A6DCE3DA1FC6A69B47E0F39124BACE9E5
File Size: 6.16 MB, 6157312 bytes
MD5: e9d8d81b52bb0b2a1711ae793ead692f
SHA1: 0bb98ca8deb1dbad59e6eb778035fcaa18920a90
SHA256: 6826DB0DC5B5F9FF1158D3152234245FCAE87365F4CD89BD6257D8B1CEE0A04A
File Size: 3.61 MB, 3607552 bytes
MD5: 4bdf9244652590a1e53810d9a6cfce95
SHA1: 3228a01f28dccabc9e774398c6063adac581d214
SHA256: AA05AC5BAA6545EF1D10C3FCD17FBF962B10704DA1534BABD5EDE5FA6B32C85D
File Size: 6.16 MB, 6157312 bytes
MD5: d1228ba383a5aeedc706303eb1a115ba
SHA1: b70a45407c9042bad6035048e66c38bc9bc83f9a
SHA256: ED86D65093068BAD71634B9CEDDAF89C62EADB4CFEF04B7A55C1CE116C297A94
File Size: 6.36 MB, 6362112 bytes
MD5: cf7f5015a51207bc9df385bf90a5fc49
SHA1: 752817dff2a58229e64286da3a0a9a9903f41c7f
SHA256: F87ADBDA1BAC227B079AEBCBA781E84B544F51BB8D7354A701BEFEA540C08DE7
File Size: 6.36 MB, 6362112 bytes
MD5: cb81df5782b344e335a3e74199b2d302
SHA1: 34cc0d756ae691789384f07702be9bf7a83bca04
SHA256: 800CD171BA5B0EE2CCBAE30F6976D6BF4C9948775C5DAEB608525BF0F29A23E9
File Size: 6.36 MB, 6362112 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have relocations information
  • File doesn't have resources
  • File doesn't have security information
  • File has been packed
  • File has exports table
  • File has TLS information
  • File is 32-bit executable
Show More
  • File is 64-bit executable
  • File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is Native application (NOT .NET application)
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name Value
Company Name https://github.com/libxcc/xcc-core
File Description
  • IRONPUR Launcher
  • Trainer Spy {mul0} [v2.3.3]
  • xcc-core
File Version
  • 2.3.3.0
  • 1.0.0.0
  • 0,0,1,0
Internal Name
  • ironshot
  • xcc-core.dll
Legal Copyright Copyright (C) 2024
Original Filename xcc-core.dll
Product Name
  • IRONPUR
  • Trainer Spy {mul0} [v2.3.3][x32]
  • xcc-core
Product Version
  • 2.3.3.0
  • 1.0.0.0
  • 0,0,1,0
Program I D com.embarcadero.CEHack

File Traits

  • 2+ executable sections
  • big overlay
  • dll
  • fptable
  • HighEntropy
  • No Version Info
  • ntdll
  • packed
  • themida
  • VirtualQueryEx
Show More
  • WriteProcessMemory
  • x64
  • x86

Block Information

Total Blocks: 1,924
Potentially Malicious Blocks: 228
Whitelisted Blocks: 1,074
Unknown Blocks: 622

Visual Map

? ? x x x x x x x x x x x x x x x x x x x x x x x 0 x x x x x x x x x x x x x x x x x x 0 x x x x x x x x x x ? x x x x x x x x x x x x x x x 0 x 0 x 1 x 0 x ? 0 x x x x x x x ? x ? ? ? x ? ? 0 x ? ? ? ? x 0 x x x x x x x x x x x ? 0 x x ? x x x x x x x x x x x 0 x x x x x x x x x x 0 x 0 0 ? x 0 0 0 0 0 1 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 2 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 ? ? 0 ? 0 ? ? ? ? 0 0 x 0 ? 0 0 0 ? 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 ? x ? ? ? 0 0 0 ? ? 0 0 0 0 ? ? x 0 ? x 0 0 0 0 ? 0 ? ? 0 0 ? 0 ? ? x 0 ? 0 ? 0 ? 0 0 ? 0 0 0 0 0 0 0 0 0 ? 0 0 0 x 0 0 0 0 0 ? 0 ? 0 0 0 x ? 0 0 ? ? ? 0 x 0 ? ? 0 0 x ? 0 x 0 ? ? ? 0 ? 0 0 0 0 ? 0 0 0 0 0 0 x 0 ? ? 0 x 0 x ? x ? 0 ? ? 0 0 0 0 0 ? 0 0 ? 0 0 ? 0 0 0 0 0 0 x 0 ? 0 0 ? 0 ? 0 0 0 0 0 0 ? ? ? 0 0 0 0 ? ? 0 0 ? ? ? 0 0 ? 0 x ? x x x ? ? 0 ? ? ? 0 ? ? ? 0 0 ? ? ? 0 ? x 0 0 ? ? 0 0 x 0 ? 0 ? ? 0 0 x x ? ? x 0 ? ? ? ? x x ? ? ? 0 0 ? ? ? 0 ? 0 ? ? ? 0 ? ? 0 0 ? 0 ? ? ? 0 x ? x x 0 0 ? 0 0 x ? ? ? ? 0 0 0 0 0 0 ? ? ? 0 ? x ? ? 0 0 0 0 ? 0 ? ? 0 0 ? x 0 0 x ? ? ? ? ? ? ? ? 0 0 ? ? ? ? 0 ? ? 0 ? 0 0 ? ? ? ? ? ? ? ? ? ? 0 ? ? ? ? ? x 0 ? ? ? ? x ? 0 x 0 x 0 0 0 ? ? ? ? ? ? 0 x ? 0 ? 0 0 0 0 ? ? ? 0 0 ? 0 0 ? 0 ? 0 0 0 0 ? ? ? ? ? 0 0 ? 0 0 0 0 0 ? ? 0 ? x ? ? ? 0 ? ? 0 ? ? 0 ? 0 0 0 0 0 ? ? ? ? 0 ? ? 0 x 0 0 x 0 ? 0 0 ? ? 0 0 x ? ? ? ? ? 0 ? ? 0 ? ? 0 ? 0 0 0 x 0 ? ? 0 ? ? 0 ? ? 0 ? ? 0 0 0 0 ? x 0 0 0 ? ? 0 ? ? x 0 ? 0 ? ? ? 0 ? x 0 0 ? 0 0 0 0 0 ? ? ? 0 ? ? ? ? 0 ? ? ? x 0 0 0 0 ? 0 0 0 0 0 0 0 x ? ? ? 0 ? ? ? 0 ? ? ? ? 0 0 0 0 ? ? 0 0 0 ? ? ? ? 0 0 ? 0 0 0 ? x 0 ? 0 ? x ? ? 0 0 x 0 ? ? 0 0 0 0 0 ? 0 x ? ? 0 0 ? x 0 ? ? ? ? ? ? 0 0 0 x 0 ? ? ? x 0 ? ? ? ? x ? x ? 0 0 0 0 0 ? ? x 0 ? 0 ? x 0 x ? x 0 0 x 0 0 x 0 x 0 0 0 0 ? 0 0 ? ? ? ? x ? 0 0 ? 0 0 0 ? x 0 x 0 0 0 0 0 ? ? 0 ? ? 0 ? 0 ? 0 0 0 ? 0 0 ? ? 0 0 0 0 ? 0 ? 0 0 x ? x 0 ? 0 ? 0 ? ? ? ? 0 0 0 x 0 ? 0 ? ? 0 ? x ? 0 0 ? ? 0 0 0 ? ? 0 ? 0 0 x ? 0 ? 0 ? 0 0 ? ? ? ? ? 0 ? ? x ? ? x ? 0 ? ? 0 0 0 ? 0 ? 0 0 0 ? 0 x 0 ? 0 ? ? ? x 0 ? 0 x 0 ? ? 0 x ? ? 0 0 ? 0 ? 0 0 0 0 0 ? 0 0 ? x 0 ? 0 ? ? 0 0 ? ? 0 ? ? ? ? ? 0 ? 0 0 0 0 ? ? 0 0 ? 0 ? ? ? ? ? 0 0 0 ? 0 0 ? ? ? ? 0 0 ? ? ? ? ? 0 0 ? 0 ? ? ? 0 ? ? 0 x ? x ? 0 0 ? ? x ? ? ? 0 0 x 0 ? 0 ? ? ? 0 0 ? ? ? ? ? 0 ? x 0 ? ? x 0 ? 0 ? ? ? 0 ? ? 0 ? ? ? ? 0 ? 0 ? 0 ? ? ? 0 ? 0 x 0 ? ? ? ? ? x ? ? 0 ? 0 ? 0 ? ? ? ? 0 0 ? ? 0 ? 0 ? 0 ? ? 0 ? ? ? ? ? x 0 x ? ? ? ? ? ? ? 0 ? x ? 0 ? ? 0 ? ? ? ? ? ? 0 0 ? 0 ? ? ? 0 ? x ? ? ? 0 0 x 0 ? ? ? 0 ? 0 ? ? 0 0 0 ? ? ? 0 0 ? ? 0 x ? ? ? ? ? 0 0 0 0 ? ? ? ? ? ? 0 ? 0 ? x 0 0 ? 0 ? 0 ? 0 ? x 0 ? 0 ? ? ? ? ? ? ? ? ? ? ? ? ? ? 0 0 ? ? 0 ? ? x ? ? 0 ? 0 ? ? 0 0 x ? 0 ? 0 0 0 ? ? ? 0 x ? 0 ? 0 ? 0 0 ? ? 0 ? ? ? 0 ? 0 x ? ? ? ? ? 0 0 0 ? ? ? ? x ? x ? 0 x ? ? ? ? ? ? ? 0 x ? 0 0 ? ? ? 0 ? 0 x 0 ? ? ? ? ? ? 0 0 ? ? ? 0 ? ? ? ? 0 ? x ? ? ? ? ? 0 ? ? ? x ? ? 0 ? x x 0 0 ? ? 0 x ? x 0 ? 0 0 ? ? ? x ? ? 0 ? 0 ? 0 0 0 0 ? ? ? 0 ? 0 ? ? ? 0 0 0 ? 0
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

  • CobaltStrike.UM
  • Danabot.DA
  • Malex.K
  • ReverseShell.GG
  • ShellcodeRunner.TS

Files Modified

File Attributes
\device\namedpipe Generic Read,Write Attributes
\device\namedpipe Generic Write,Read Attributes
\device\namedpipe\chromehelpersync Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\administrator\appdata\local\temp\mrd_started.txt Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_cz4fcyuz.zwq.ps1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_gefkoeta.utb.psm1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\kd_2146859.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\kd_2147031.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\kd_2147171.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\kd_2149328.dll Generic Write,Read Attributes
Show More
c:\users\user\appdata\local\temp\kd_2236640.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\kd_2367578.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\kd_2927234.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\kd_2928031.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\kd_2928078.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\kd_2929046.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\kd_5678843.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\kd_7516203.dll Generic Write,Read Attributes
c:\windows\federalcheat.dll Generic Write,Read Attributes
c:\windows\hdn.dll Generic Write,Read Attributes
c:\windows\windivert.dll Generic Write,Read Attributes
c:\windows\windivert64.sys Generic Write,Read Attributes

Registry Modifications

Key::Value Data API Name
HKCU\software\microsoft\edge\blbeacon::failed_count RegNtPreCreateKey
HKCU\software\microsoft\edge\blbeacon::state  RegNtPreCreateKey
HKCU\software\microsoft\edge\thirdparty::statuscodes (NULL) RegNtPreCreateKey
HKCU\software\microsoft\edge\thirdparty::statuscodes  RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe ㈟쒳ǜ RegNtPreCreateKey

Windows API Usage

Category API
Syscall Use
  • ntdll.dll!NtAccessCheck
  • ntdll.dll!NtAlertThreadByThreadId
  • ntdll.dll!NtAlpcConnectPort
  • ntdll.dll!NtAlpcConnectPortEx
  • ntdll.dll!NtAlpcCreateResourceReserve
  • ntdll.dll!NtAlpcCreateSecurityContext
  • ntdll.dll!NtAlpcDeleteSecurityContext
  • ntdll.dll!NtAlpcQueryInformation
  • ntdll.dll!NtAlpcQueryInformationMessage
  • ntdll.dll!NtAlpcSendWaitReceivePort
Show More
  • ntdll.dll!NtAlpcSetInformation
  • ntdll.dll!NtApphelpCacheControl
  • ntdll.dll!NtAssociateWaitCompletionPacket
  • ntdll.dll!NtCancelWaitCompletionPacket
  • ntdll.dll!NtClearEvent
  • ntdll.dll!NtClose
  • ntdll.dll!NtCompareSigningLevels
  • ntdll.dll!NtConnectPort
  • ntdll.dll!NtCreateEvent
  • ntdll.dll!NtCreateFile
  • ntdll.dll!NtCreateIoCompletion
  • ntdll.dll!NtCreateKey
  • ntdll.dll!NtCreateMutant
  • ntdll.dll!NtCreateNamedPipeFile
  • ntdll.dll!NtCreatePrivateNamespace
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtCreateSemaphore
  • ntdll.dll!NtCreateThreadEx
  • ntdll.dll!NtCreateTimer
  • ntdll.dll!NtCreateTimer2
  • ntdll.dll!NtCreateUserProcess
  • ntdll.dll!NtCreateWaitCompletionPacket
  • ntdll.dll!NtCreateWorkerFactory
  • ntdll.dll!NtDelayExecution
  • ntdll.dll!NtDeviceIoControlFile
  • ntdll.dll!NtDuplicateObject
  • ntdll.dll!NtDuplicateToken
  • ntdll.dll!NtEnumerateKey
  • ntdll.dll!NtEnumerateValueKey
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtFsControlFile
  • ntdll.dll!NtGetCachedSigningLevel
  • ntdll.dll!NtGetCompleteWnfStateSubscription
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtNotifyChangeKey
  • ntdll.dll!NtOpenDirectoryObject
  • ntdll.dll!NtOpenEvent
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenMutant
  • ntdll.dll!NtOpenProcess
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenProcessTokenEx
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtOpenSemaphore
  • ntdll.dll!NtOpenThread
  • ntdll.dll!NtOpenThreadToken
  • ntdll.dll!NtOpenThreadTokenEx
  • ntdll.dll!NtPowerInformation
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryDebugFilterState
  • ntdll.dll!NtQueryDefaultLocale
  • ntdll.dll!NtQueryDirectoryFileEx
  • ntdll.dll!NtQueryEvent
  • ntdll.dll!NtQueryFullAttributesFile
  • ntdll.dll!NtQueryInformationFile
  • ntdll.dll!NtQueryInformationJobObject
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryLicenseValue
  • ntdll.dll!NtQueryObject
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityAttributesToken
  • ntdll.dll!NtQuerySecurityObject
  • ntdll.dll!NtQuerySystemInformation
  • ntdll.dll!NtQuerySystemInformationEx
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtQueryWnfStateData
  • ntdll.dll!NtQueueApcThread
  • ntdll.dll!NtReadFile
  • ntdll.dll!NtReadRequestData
  • ntdll.dll!NtReleaseMutant
  • ntdll.dll!NtReleaseSemaphore
  • ntdll.dll!NtReleaseWorkerFactoryWorker
  • ntdll.dll!NtRequestWaitReplyPort
  • ntdll.dll!NtResumeThread
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationFile
  • ntdll.dll!NtSetInformationKey
  • ntdll.dll!NtSetInformationObject
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationThread
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory

21 additional items are not displayed above.

Network Winhttp
  • WinHttpOpen
Encryption Used
  • BCryptOpenAlgorithmProvider
Process Manipulation Evasion
  • NtUnmapViewOfSection
  • ReadProcessMemory
Process Shell Execute
  • CreateProcess
Anti Debug
  • IsDebuggerPresent
  • NtQuerySystemInformation
Process Terminate
  • TerminateProcess
User Data Access
  • GetUserDefaultLocaleName
  • GetUserObjectInformation
Other Suspicious
  • AdjustTokenPrivileges

Shell Command Execution

C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\eec78c134bbcbc4bd9edecd7d5713bdeb275f2a3_0000295936.,LiQMAxHB
wmic cpu get processorid
powershell.exe -NoProfile -NonInteractive -Command "(Get-CimInstance -ClassName Win32_Processor).ProcessorId"

Trending

Most Viewed

Loading...