Multi-License Discount Quote

Change Region

English
Threat Database Potentially Unwanted Programs Beautify Desktop Wallpaper

Beautify Desktop Wallpaper

By GoldSparrow in Potentially Unwanted Programs

Threat Scorecard

Popularity Rank: 374
Threat Level: 90 % (High)
Infected Computers: 971,196
First Seen: May 8, 2017
Last Seen: February 6, 2026
OS(es) Affected: Windows

Users who are experiencing the rotation and changes of their desktop wallpapers by an application named Beautify Desktop Wallpaper may want to know that Beautify Desktop Wallpaper is associated with adware and Potentially Unwanted Programs (PUPs). The Beautify Desktop Wallpaper serves as a gateway to connections with various websites that may share information about your machine and get instructions from its developers. When Beautify Desktop Wallpaper is running on an affected computer, it may connect to the sites https://servicehost.cf, https://svc-host.net, https://nvda.cf, https://svc-host.net,https://moz-update.cf and https://ms-dev.cf. The Beautify Desktop Wallpaper is not considered as harmful, but the applications and websites linked to it may slow down your computer and display unwanted advertisements.

If you have Beautify Desktop Wallpaper installed on your computer and want to know where it come from, there is a tactic called bundling that may be used by adware, PUPs and browser hijackers to get access to a computer when the computer users don't pay attention to what they are allowing to be installed on their machines. Also, computer users may install Beautify Desktop Wallpaper on their computers due to the beautiful women photos it shows as their wallpapers. No matter how Beautify Desktop Wallpaper entered your machine, if you want to remove it, security analysts advise users to incorporate a trustworthy anti-malware application on their systems to eradicate Beautify Desktop Wallpaper and its related content from their machines.

Analysis Report

General information

Family Name: HEUR.Trojan.Injector.Win32.Generic
Signature status: No Signature

Known Samples

MD5: c162ceec7360982e47abc2ed72d8e6df
SHA1: e30ab7de934f7a7c9d5bae193f71cb8f63fe5cb9
File Size: 1.82 MB, 1820672 bytes
MD5: e11e78fc2219709cae13da0978ee0b87
SHA1: 9328af0807f6edc7d3f04abe73da1039cecf6209
SHA256: 05F9AB7651EE1B4D3AFFB20ECFA3DE6A75936668C863B5CF51CC977DFDCF0907
File Size: 595.37 KB, 595372 bytes
MD5: 3f21afbacecfca17d563c3f8e0f1aaf4
SHA1: b2686cc7021c8eb1702391f53b4a628e2b05472a
SHA256: 2FD813006AF428FBE674A70D47EDD48B3C40CD1B99CD572287D76049DDB54679
File Size: 14.34 KB, 14336 bytes
MD5: a00dcd62f7d645db67c26d8a06040153
SHA1: 146995082736ff6bf0153105beca78a4a940fca6
SHA256: 69595189A96C0BAF98CF7B67B99CB142AEB19AD97653B1E5991AF8CADBA1FFB3
File Size: 830.46 KB, 830464 bytes
MD5: 2c9bea005f8cc4ec27e7365d55269f32
SHA1: 5b75fef9e2cccaf0d3945b42e2fb4b5dac2263db
SHA256: 38BDA6B8E0418951D1D25F2F989ED888F68255441074838590BA363FD6B14E81
File Size: 2.89 MB, 2890752 bytes
Show More
MD5: d82a4e03f7079c2cb44a448c01ff3798
SHA1: 861bbf9daaffd47924c6fedd9450b102e71face8
SHA256: E9C6BF97A854D8FE9877752B6E8A32095E8EEE351BF4901DE4AECCF89B591F42
File Size: 40.45 KB, 40448 bytes
MD5: 4c1c7a670eb658dabaf549486b08405b
SHA1: 9ddf989c83b22fc3d87c36272c8a75a18efa5e92
SHA256: 07D4A8A85274031C9DCFECC6890674CF104895554D8D469538ACE1F0FC24561F
File Size: 8.22 MB, 8224256 bytes
MD5: e2906a4adcb71477f05a990ab7d25b0b
SHA1: b47574927c6596fbb3fda9a449b14ace3d9248b6
SHA256: A3A25296E4F20233C3DC906B8927166F734AEFE5D628E5385376E9FD16C7C625
File Size: 412.16 KB, 412160 bytes
MD5: 3a4ef5857aa67f84270848a2fa371438
SHA1: 78e51882b31365aa59476489a0adb3eeb77e75b0
SHA256: 1D0A1D1775DB8BD64E1DA9157227B31334B4A536E8B0CA8D6F29AE69A015D076
File Size: 7.72 MB, 7718400 bytes
MD5: 6f7b7df5ee680c90b21cb9c95538e9f4
SHA1: 41af2d495c57134d0a71ddb70210e984db99bdd2
SHA256: AECE45230390E582EBC77A525CF6741C60A8D7EBEC04AB8CCC9879802466E97D
File Size: 7.70 MB, 7704576 bytes
MD5: f0bb4dc4f2a723e0a6c325d10b392647
SHA1: b0d8751ee635014e1d3a389c499cfd39c4b5edb7
SHA256: 640013639C2E230F87D09A48804A6BA9AD25CEBC8EB81F3035696351157953AC
File Size: 6.57 MB, 6566912 bytes
MD5: f8f8e91f3340c358f8804a8330947487
SHA1: 689613f63aec935fa506efea8c6a140a6de03526
SHA256: 19E17B0404F62F472C99FFE7847C928657CBF325FA712F865A923A22C3B24B15
File Size: 6.36 MB, 6362112 bytes
MD5: 5ddb83360d535494fa9b818d10808299
SHA1: 31812427f84c898007c9ead07b2664bfb422a6f0
SHA256: 1C5AB27DD95EB87B4EEC879DBDFD4E41479C388EDEC0B78F387B3D48C5B84382
File Size: 6.36 MB, 6362112 bytes
MD5: 0485936ac8fe9193612dd4b338926a99
SHA1: 4a534c6436fcd7ebfc7b2d8f9e8fff3c74af2057
SHA256: 821729352B2D38BD5B6691423F0D61745E24DA1E93CF119E22F2B00966AB0C1F
File Size: 7.73 MB, 7734272 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have relocations information
  • File doesn't have resources
  • File doesn't have security information
  • File has been packed
  • File has exports table
  • File has TLS information
  • File is 32-bit executable
Show More
  • File is 64-bit executable
  • File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is Native application (NOT .NET application)
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name Value
File Description Trainer Spy {mul0} [v2.3.3]
File Version 2.3.3.0
Product Name Trainer Spy {mul0} [v2.3.3][x32]
Product Version 2.3.3.0
Program I D com.embarcadero.CEHack

File Traits

  • 2+ executable sections
  • big overlay
  • dll
  • fptable
  • HighEntropy
  • No Version Info
  • ntdll
  • packed
  • themida
  • VirtualQueryEx
Show More
  • WriteProcessMemory
  • x64
  • x86

Block Information

Total Blocks: 184
Potentially Malicious Blocks: 2
Whitelisted Blocks: 172
Unknown Blocks: 10

Visual Map

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? ? 0 0 ? ? 0 ? ? x ? x ? 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 0 0 0 0 0 0 1 0 1 2 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

  • CobaltStrike.UM
  • Danabot.DA
  • Malex.K
  • ReverseShell.GG
  • ShellcodeRunner.TS

Files Modified

File Attributes
\device\namedpipe\chromehelpersync Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\administrator\appdata\local\temp\mrd_started.txt Generic Write,Read Attributes
c:\users\user\appdata\local\temp\kd_2147171.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\kd_2927234.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\kd_2929046.dll Generic Write,Read Attributes
c:\windows\federalcheat.dll Generic Write,Read Attributes
c:\windows\hdn.dll Generic Write,Read Attributes
c:\windows\windivert.dll Generic Write,Read Attributes
c:\windows\windivert64.sys Generic Write,Read Attributes

Registry Modifications

Key::Value Data API Name
HKCU\software\microsoft\edge\blbeacon::failed_count RegNtPreCreateKey
HKCU\software\microsoft\edge\blbeacon::state  RegNtPreCreateKey
HKCU\software\microsoft\edge\thirdparty::statuscodes (NULL) RegNtPreCreateKey
HKCU\software\microsoft\edge\thirdparty::statuscodes  RegNtPreCreateKey

Windows API Usage

Category API
Syscall Use
  • ntdll.dll!NtAccessCheck
  • ntdll.dll!NtAlertThreadByThreadId
  • ntdll.dll!NtAlpcConnectPort
  • ntdll.dll!NtAlpcConnectPortEx
  • ntdll.dll!NtAlpcCreateResourceReserve
  • ntdll.dll!NtAlpcCreateSecurityContext
  • ntdll.dll!NtAlpcDeleteSecurityContext
  • ntdll.dll!NtAlpcQueryInformation
  • ntdll.dll!NtAlpcQueryInformationMessage
  • ntdll.dll!NtAlpcSendWaitReceivePort
Show More
  • ntdll.dll!NtAlpcSetInformation
  • ntdll.dll!NtApphelpCacheControl
  • ntdll.dll!NtAssociateWaitCompletionPacket
  • ntdll.dll!NtCancelWaitCompletionPacket
  • ntdll.dll!NtClearEvent
  • ntdll.dll!NtClose
  • ntdll.dll!NtConnectPort
  • ntdll.dll!NtCreateEvent
  • ntdll.dll!NtCreateIoCompletion
  • ntdll.dll!NtCreateKey
  • ntdll.dll!NtCreateMutant
  • ntdll.dll!NtCreateNamedPipeFile
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtCreateSemaphore
  • ntdll.dll!NtCreateThreadEx
  • ntdll.dll!NtCreateTimer2
  • ntdll.dll!NtCreateUserProcess
  • ntdll.dll!NtCreateWaitCompletionPacket
  • ntdll.dll!NtCreateWorkerFactory
  • ntdll.dll!NtDelayExecution
  • ntdll.dll!NtDeviceIoControlFile
  • ntdll.dll!NtDuplicateObject
  • ntdll.dll!NtDuplicateToken
  • ntdll.dll!NtEnumerateKey
  • ntdll.dll!NtEnumerateValueKey
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtFsControlFile
  • ntdll.dll!NtGetCompleteWnfStateSubscription
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtNotifyChangeKey
  • ntdll.dll!NtOpenDirectoryObject
  • ntdll.dll!NtOpenEvent
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenProcess
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenProcessTokenEx
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtOpenSemaphore
  • ntdll.dll!NtOpenThread
  • ntdll.dll!NtOpenThreadToken
  • ntdll.dll!NtOpenThreadTokenEx
  • ntdll.dll!NtPowerInformation
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryDebugFilterState
  • ntdll.dll!NtQueryDirectoryFileEx
  • ntdll.dll!NtQueryEvent
  • ntdll.dll!NtQueryFullAttributesFile
  • ntdll.dll!NtQueryInformationFile
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryLicenseValue
  • ntdll.dll!NtQueryObject
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityAttributesToken
  • ntdll.dll!NtQuerySecurityObject
  • ntdll.dll!NtQuerySystemInformation
  • ntdll.dll!NtQuerySystemInformationEx
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtQueryWnfStateData
  • ntdll.dll!NtQueueApcThread
  • ntdll.dll!NtReadRequestData
  • ntdll.dll!NtReleaseMutant
  • ntdll.dll!NtReleaseSemaphore
  • ntdll.dll!NtReleaseWorkerFactoryWorker
  • ntdll.dll!NtRequestWaitReplyPort
  • ntdll.dll!NtResumeThread
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationKey
  • ntdll.dll!NtSetInformationObject
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationThread
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory
  • ntdll.dll!NtSetTimer2
  • ntdll.dll!NtSubscribeWnfStateChange
  • ntdll.dll!NtTerminateProcess
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtTraceControl
  • ntdll.dll!NtTraceEvent
  • ntdll.dll!NtUnmapViewOfSection
  • ntdll.dll!NtUnmapViewOfSectionEx
  • ntdll.dll!NtUnsubscribeWnfStateChange
  • ntdll.dll!NtWaitForAlertByThreadId

9 additional items are not displayed above.

Network Winhttp
  • WinHttpOpen
Encryption Used
  • BCryptOpenAlgorithmProvider
Process Manipulation Evasion
  • NtUnmapViewOfSection
  • ReadProcessMemory

Trending

Most Viewed

Loading...