File name:

DоcSеnd_Dеsktоp.exe

Full analysis: https://app.any.run/tasks/6426f38b-4c34-4cb9-bbd8-d4d235f03a0b
Verdict: Malicious activity
Analysis date: June 05, 2025, 08:48:56
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
python
arch-exec
arch-doc
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:

E662DE58B58DF04EA4DC3E55951EF8DD

SHA1:

6BF166E10F3BD745CE22D13577E15B8E11AFCC72

SHA256:

EB97CA955C84BEFA107528FCD52EF8B9906E5223E1BFADA8C2697BC4F408C458

SSDEEP:

196608:mTL4mbRT1cvcdgX/1muNU0V2RiuO76/yMEEEzAsAi1/tzu6T7eqSwN1:O7bRTmvt/ZUM2EEDsA4Ju4pSwn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Malware-specific behavior (creating "System.dll" in Temp)

      • DоcSеnd_Dеsktоp.exe (PID: 4220)

    • The process creates files with name similar to system file names

      • DоcSеnd_Dеsktоp.exe (PID: 4220)

    • The process drops C-runtime libraries

      • DоcSеnd_Dеsktоp.exe (PID: 4220)

    • Process drops legitimate windows executable

      • DоcSеnd_Dеsktоp.exe (PID: 4220)

    • Executable content was dropped or overwritten

      • DоcSеnd_Dеsktоp.exe (PID: 4220)

    • Process drops python dynamic module

      • DоcSеnd_Dеsktоp.exe (PID: 4220)

    • Loads Python modules

      • WmiPrvSE.exe (PID: 5988)
      • pythonw.exe (PID: 4988)

    • Uses WMIC.EXE to obtain memory chip information

      • cmd.exe (PID: 4404)
      • cmd.exe (PID: 7656)

    • Starts CMD.EXE for commands execution

      • WmiPrvSE.exe (PID: 5988)
      • pythonw.exe (PID: 4988)

  • INFO

    • Checks supported languages

      • DоcSеnd_Dеsktоp.exe (PID: 4220)
      • pythonw.exe (PID: 4988)
      • WmiPrvSE.exe (PID: 5988)

    • Create files in a temporary directory

      • DоcSеnd_Dеsktоp.exe (PID: 4220)
      • pythonw.exe (PID: 4988)
      • WmiPrvSE.exe (PID: 5988)

    • Creates files or folders in the user directory

      • DоcSеnd_Dеsktоp.exe (PID: 4220)

    • The sample compiled with english language support

      • DоcSеnd_Dеsktоp.exe (PID: 4220)

    • Python executable

      • WmiPrvSE.exe (PID: 5988)
      • pythonw.exe (PID: 4988)

    • Manual execution by a user

      • notepad.exe (PID: 776)
      • cmd.exe (PID: 4980)
      • WINWORD.EXE (PID: 7844)
      • OpenWith.exe (PID: 8032)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 2568)
      • notepad.exe (PID: 776)
      • WMIC.exe (PID: 5400)

    • Reads Microsoft Office registry keys

      • OpenWith.exe (PID: 8032)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:03:08 23:05:20+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 27136
InitializedDataSize: 184832
UninitializedDataSize: 2048
EntryPoint: 0x358d
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
144
Monitored processes
17
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start dð¾csðµnd_dðµsktð¾p.exe wmiprvse.exe no specs pythonw.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs notepad.exe no specs openwith.exe no specs rundll32.exe no specs slui.exe winword.exe ai.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
776"C:\WINDOWS\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\README.txtC:\Windows\System32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
924\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2568wmic memorychip get CapacityC:\Windows\SysWOW64\wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
4220"C:\Users\admin\AppData\Local\Temp\DоcSеnd_Dеsktоp.exe" C:\Users\admin\AppData\Local\Temp\DоcSеnd_Dеsktоp.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\dð¾csðµnd_dðµsktð¾p.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
4380\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4404C:\WINDOWS\system32\cmd.exe /c "wmic memorychip get Capacity"C:\Windows\System32\cmd.exepythonw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
4980C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\Desktop\fetch_macholib.bat" "C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
4988"C:\Users\admin\AppData\Local\20250605_084905\x64\pythonw.exe" "C:\Users\admin\AppData\Local\20250605_084905\x64\LICENSE.txt"C:\Users\admin\AppData\Local\20250605_084905\x64\pythonw.exeDоcSеnd_Dеsktоp.exe
User:
admin
Company:
Python Software Foundation
Integrity Level:
MEDIUM
Description:
Python
Exit code:
1
Version:
3.13.0
Modules
Images
c:\users\admin\appdata\local\20250605_084905\x64\pythonw.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\users\admin\appdata\local\20250605_084905\x64\vcruntime140.dll
c:\users\admin\appdata\local\20250605_084905\x64\python313.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
5400wmic memorychip get CapacityC:\Windows\System32\wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
5988"C:\Users\admin\AppData\Local\20250605_084905\WmiPrvSE.exe" "LICENSE.txt"C:\Users\admin\AppData\Local\20250605_084905\WmiPrvSE.exeDоcSеnd_Dеsktоp.exe
User:
admin
Company:
Python Software Foundation
Integrity Level:
MEDIUM
Description:
Python
Exit code:
1
Version:
3.13.0rc3
Modules
Images
c:\users\admin\appdata\local\20250605_084905\wmiprvse.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ucrtbase.dll
Total events
16 441
Read events
16 056
Write events
361
Delete events
24

Modification events

(PID) Process:(7844) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\7844
Operation:writeName:0
Value:
0B0E107B338F248225254EB178964BB362E7BA230046AEBBB6EDEDBEF5ED016A04102400449A7D64B29D01008500A907556E6B6E6F776EC906022222CA0DC2190000C91003783634C511A43DD2120B770069006E0077006F00720064002E00650078006500C51620C517808004C91808323231322D44656300
(PID) Process:(7844) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:en-US
Value:
2
(PID) Process:(7844) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:de-de
Value:
2
(PID) Process:(7844) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:fr-fr
Value:
2
(PID) Process:(7844) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:es-es
Value:
2
(PID) Process:(7844) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:it-it
Value:
2
(PID) Process:(7844) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:ja-jp
Value:
2
(PID) Process:(7844) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:ko-kr
Value:
2
(PID) Process:(7844) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:pt-br
Value:
2
(PID) Process:(7844) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:ru-ru
Value:
2
Executable files
101
Suspicious files
130
Text files
24
Unknown types
3

Dropped files

PID
Process
Filename
Type
4220DоcSеnd_Dеsktоp.exeC:\Users\admin\AppData\Local\20250605_084905\WmiPrvSE.exeexecutable
MD5:1DA662DBBF4E8450CF33528849E5B1DF
SHA256:5A6A312B9359FB2F79D64C61D6AF887821A03105CF3E88789F3C7EECD6BBCADA
4220DоcSеnd_Dеsktоp.exeC:\Users\admin\AppData\Local\Temp\nssF9DF.tmp\System.dllexecutable
MD5:9B38A1B07A0EBC5C7E59E63346ECC2DB
SHA256:C881253DAFCF1322A771139B1A429EC1E78C507CA81A218A20DC1A4B25ABBFE7
4220DоcSеnd_Dеsktоp.exeC:\Users\admin\AppData\Local\20250605_084905\LICENSE.txtbinary
MD5:4141FCAB50F4EA9DE5B380ED86329C7B
SHA256:8A39E3F4AAA96138FAD917ED848B2EB4854E1F703E515E3F09B6EB3B87A23050
4220DоcSеnd_Dеsktоp.exeC:\Users\admin\AppData\Local\20250605_084905\_bz2.pydexecutable
MD5:D10407C662728E69098E7BFE0CDFFB3B
SHA256:583476116D85930B98198616EC59C37982DD8DF7B116B3268C590D4A5B50935B
4220DоcSеnd_Dеsktоp.exeC:\Users\admin\AppData\Local\20250605_084905\_ctypes.pydexecutable
MD5:21EEFC48217403A6FBA63263A77A31B8
SHA256:CD530E4574C6292DA2EDEAB1A785E237E1673CA77BD185758C491C43FCF80660
4220DоcSеnd_Dеsktоp.exeC:\Users\admin\AppData\Local\20250605_084905\_asyncio.pydexecutable
MD5:2F24191230E6239766B6C8E35AA2A531
SHA256:F300FE6A2242DBE08250F63DE1D34BA3F950636024021EDD1C79B953D5D317B0
4220DоcSеnd_Dеsktоp.exeC:\Users\admin\AppData\Local\20250605_084905\_decimal.pydexecutable
MD5:E8C69FCA50D73943C6DA3EBBBAE11292
SHA256:00282050DDF4283E096717343EF24A36C8CC28621F5E460C7A0823F115D14E28
4220DоcSеnd_Dеsktоp.exeC:\Users\admin\AppData\Local\20250605_084905\_ssl.pydexecutable
MD5:294719AD53E1BD7FF122A25E9FE11B58
SHA256:6EB6B4894C9D4B88BDCD91BD2406A61BE8FE0038C74BF04001D0D066CB3FFD28
4220DоcSеnd_Dеsktоp.exeC:\Users\admin\AppData\Local\20250605_084905\_multiprocessing.pydexecutable
MD5:51F045BE76DEE764125F3C2503DAA9F1
SHA256:5DE7F6923BB06FF3AD09CCD640D71E5830CA66C551B2A358A2191B47712EF042
4220DоcSеnd_Dеsktоp.exeC:\Users\admin\AppData\Local\20250605_084905\_hashlib.pydexecutable
MD5:1E8864E3722D7DABB9442CBFA06CB187
SHA256:77B72BDD48CA3AC1DC132997D2AA70B38581301B5A165C03234F22C1F4CE1A71
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
15
TCP/UDP connections
71
DNS requests
28
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
2.16.168.114:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
7564
svchost.exe
GET
200
2.16.168.114:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7564
svchost.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5864
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
5864
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
7844
WINWORD.EXE
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
7844
WINWORD.EXE
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7844
WINWORD.EXE
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
896
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5496
MoUsoCoreWorker.exe
2.16.168.114:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
7564
svchost.exe
2.16.168.114:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
5496
MoUsoCoreWorker.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
7564
svchost.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
4
System
192.168.100.255:138
whitelisted
6544
svchost.exe
20.190.159.64:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
google.com
  • 142.250.185.78
whitelisted
crl.microsoft.com
  • 2.16.168.114
  • 2.16.168.124
  • 2.16.241.12
  • 2.16.241.19
whitelisted
www.microsoft.com
  • 2.23.246.101
  • 95.101.149.131
whitelisted
login.live.com
  • 20.190.159.64
  • 40.126.31.128
  • 20.190.159.68
  • 20.190.159.129
  • 40.126.31.1
  • 40.126.31.0
  • 40.126.31.129
  • 20.190.159.4
whitelisted
ocsp.digicert.com
  • 2.23.77.188
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
DоcSеnd_Dеsktоp.exe