Windows Analysis Report
Desktops.exe

Overview

General Information

Sample name: Desktops.exe
Analysis ID: 1615129
MD5: 59f23a92e056eb6161e8488d82c9a408
SHA1: 3cbc588dd659982c591a78660da9de8795fdc46f
SHA256: 5b8f64e090c7c9012e656c222682dfae7910669c7b7afaca35829cd1cc2eac17
Tags: exeKouisMoaMegaByteInformationTechnologCoLtduser-SquiblydooBlog
Infos:

Detection

Score: 60
Range: 0 - 100
Confidence: 100%

Signatures

Icon mismatch, binary includes an icon from a different legit application in order to fool users
Multi AV Scanner detection for submitted file
Contains functionality to hide windows to a different desktop
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Found large amount of non-executed APIs
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: Desktops.exe Virustotal: Detection: 16% Perma Link
Source: Desktops.exe Static PE information: certificate valid
Source: Binary string: D:\a\1\s\x64\Release\Desktops64.pdb source: Desktops.exe
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_0000000140012D64 FindFirstFileExW, 0_2_0000000140012D64
Source: Desktops.exe String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: Desktops.exe String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: Desktops.exe String found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
Source: Desktops.exe String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: Desktops.exe String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: Desktops.exe String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: Desktops.exe String found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: Desktops.exe String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: Desktops.exe String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: Desktops.exe String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: Desktops.exe String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: Desktops.exe String found in binary or memory: http://www.sysinternals.com
Source: Desktops.exe String found in binary or memory: http://www.sysinternals.comopenOne
Source: Desktops.exe String found in binary or memory: https://www.globalsign.com/repository/0
Contains functionality to record screenshots
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_00000001400028A7 GetSystemMetrics,GetSystemMetrics,GetDC,CreateCompatibleBitmap,CreateCompatibleDC,SelectObject,BitBlt,SelectObject,ReleaseDC,DeleteDC, 0_2_00000001400028A7
Potential key logger detected (key state polling based)
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_0000000140002990 PostMessageW,CallNextHookEx,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,PostMessageW, 0_2_0000000140002990

Protection of GUI
barindex
Contains functionality to hide windows to a different desktop
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_0000000140002E50 DeleteObject,CreateDesktopW,GetLastError,OpenDesktopW,FormatMessageW,MessageBoxW,LocalFree,ConvertStringSecurityDescriptorToSecurityDescriptorW,GetSecurityDescriptorSacl,SetSecurityInfo,LocalFree,SwitchDesktop,SetThreadDesktop,RegOpenKeyW,RegSetValueExW,RegCloseKey, 0_2_0000000140002E50
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_0000000140002E50 DeleteObject,CreateDesktopW,GetLastError,OpenDesktopW,FormatMessageW,MessageBoxW,LocalFree,ConvertStringSecurityDescriptorToSecurityDescriptorW,GetSecurityDescriptorSacl,SetSecurityInfo,LocalFree,SwitchDesktop,SetThreadDesktop,RegOpenKeyW,RegSetValueExW,RegCloseKey, 0_2_0000000140002E50
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_01FA1C98 NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory, 0_2_01FA1C98
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_01FA1B31 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,LdrLoadDll,NtProtectVirtualMemory,NtProtectVirtualMemory,NtProtectVirtualMemory, 0_2_01FA1B31
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_01FA2A24 NtAllocateVirtualMemory, 0_2_01FA2A24
Detected potential crypto function
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_0000000140002BF0 0_2_0000000140002BF0
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_000000014000B7F8 0_2_000000014000B7F8
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_000000014001A838 0_2_000000014001A838
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_0000000140004080 0_2_0000000140004080
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_000000014000E104 0_2_000000014000E104
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_0000000140003110 0_2_0000000140003110
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_000000014000B518 0_2_000000014000B518
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_0000000140004540 0_2_0000000140004540
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_0000000140012D64 0_2_0000000140012D64
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_0000000140011184 0_2_0000000140011184
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_00000001400155C0 0_2_00000001400155C0
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_00000001400159EC 0_2_00000001400159EC
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_0000000140002E50 0_2_0000000140002E50
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_000000014000B294 0_2_000000014000B294
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_00000001400012E0 0_2_00000001400012E0
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_0000000140012B58 0_2_0000000140012B58
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_0000000140010778 0_2_0000000140010778
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_00000001400173A0 0_2_00000001400173A0
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_00000001400037D0 0_2_00000001400037D0
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_01FA1B31 0_2_01FA1B31
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_01FA114E 0_2_01FA114E
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_01FA3536 0_2_01FA3536
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_01FA0C94 0_2_01FA0C94
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_01FA0000 0_2_01FA0000
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_01FA03F0 0_2_01FA03F0
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_01FA06FD 0_2_01FA06FD
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_01FA46B2 0_2_01FA46B2
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_01FD2AE0 0_2_01FD2AE0
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_01FD34BE 0_2_01FD34BE
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_01FD1680 0_2_01FD1680
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_01FD1E30 0_2_01FD1E30
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_01FD5B80 0_2_01FD5B80
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_01FD1370 0_2_01FD1370
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_01FD5330 0_2_01FD5330
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_01FD4D00 0_2_01FD4D00
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_01FD362C 0_2_01FD362C
Sample file is different than original file name gathered from version info
Source: Desktops.exe, 00000000.00000002.3278824402.00000001400F1000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameDesktops2 vs Desktops.exe
Source: Desktops.exe Binary or memory string: OriginalFilenameDesktops2 vs Desktops.exe
Source: classification engine Classification label: mal60.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_0000000140002E50 DeleteObject,CreateDesktopW,GetLastError,OpenDesktopW,FormatMessageW,MessageBoxW,LocalFree,ConvertStringSecurityDescriptorToSecurityDescriptorW,GetSecurityDescriptorSacl,SetSecurityInfo,LocalFree,SwitchDesktop,SetThreadDesktop,RegOpenKeyW,RegSetValueExW,RegCloseKey, 0_2_0000000140002E50
Source: Desktops.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Desktops.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Desktops.exe Virustotal: Detection: 16%
Source: C:\Users\user\Desktop\Desktops.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Desktops.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Desktops.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Desktops.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\Desktops.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\Desktops.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\Desktops.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\Desktops.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\Desktops.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Desktops.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Desktops.exe Section loaded: wintypes.dll Jump to behavior
Source: Desktops.exe Static PE information: certificate valid
Source: Desktops.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: Desktops.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: D:\a\1\s\x64\Release\Desktops64.pdb source: Desktops.exe
PE file contains sections with non-standard names
Source: Desktops.exe Static PE information: section name: _RDATA
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_01FD2A7B push es; ret 0_2_01FD2A97

Hooking and other Techniques for Hiding and Protection
barindex
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Source: initial sample Icon embedded in binary file: icon matches a legit application icon: download5.png
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\Desktops.exe API coverage: 8.5 %
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_0000000140012D64 FindFirstFileExW, 0_2_0000000140012D64
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_01FA1B31 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,LdrLoadDll,NtProtectVirtualMemory,NtProtectVirtualMemory,NtProtectVirtualMemory, 0_2_01FA1B31
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_000000014000F644 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_000000014000F644
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_0000000140014030 GetProcessHeap, 0_2_0000000140014030
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_0000000140005500 SetUnhandledExceptionFilter, 0_2_0000000140005500
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_000000014000F644 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_000000014000F644
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_0000000140004EBC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0000000140004EBC
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_0000000140005318 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0000000140005318
Source: C:\Users\user\Desktop\Desktops.exe Memory protected: page read and write | page execute and write copy | page guard | page no cache Jump to behavior
Source: Desktops.exe Binary or memory string: Shell_TrayWnd
Source: Desktops.exe Binary or memory string: %dTaskbarCreatedDefaultSysinternals Desktop 1Sysinternals Desktop 2Sysinternals Desktop 3S:(ML;;NW;;;LW)OptionsShownHotkeyModifiersHotkeyIsFunctionSoftware\Sysinternals\Desktops%s: %sDesktopsACCELERATORSShell_TrayWnd\Explorer.exeError creating desktopSoftware\Microsoft\Windows\CurrentVersion\ExplorerAltTabSettingsBUTTONHANDSoftware\Microsoft\Windows\CurrentVersion\RunSysinternals Desktopshttp://www.sysinternals.comopenOne or more of the specified hotkeys are in use.
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_000000014001A680 cpuid 0_2_000000014001A680
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_0000000140005570 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_0000000140005570
windows-stand
Behavior
Click here to start
Slideshow Behavior Animation
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1615129 Sample: Desktops.exe Startdate: 14/02/2025 Architecture: WINDOWS Score: 60 8 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->8 10 Multi AV Scanner detection for submitted file 2->10 5 Desktops.exe 2->5         started        process3 signatures4 12 Contains functionality to hide windows to a different desktop 5->12
No contacted IP infos