Extracted

• whiteshadow123.exe

  .exe windows:4 windows x86 arch:x86

  51b39aff649af7abc30a06f2362db069

  
  

  Code Sign

  33:00:9f:7b:73:4d:b0:48:04:11:eb:0b:ba:00:00:00:9f:7b:73

  Certificate

  Issuer

  CN=Microsoft Azure RSA TLS Issuing CA 04,O=Microsoft Corporation,C=US

  Not Before

  26-08-2024 16:01

  Not After

  21-08-2025 16:01

  Subject

  CN=www.microsoft.com,O=Microsoft Corporation,L=Redmond,ST=WA,C=US

  c3:2e:70:90:c7:7e:bb:af:94:5c:09:cf:66:e0:5c:b1:f9:0f:d0:1b:5f:93:d7:ae:96:94:61:f0:bc:b2:63:83

  Signer

  Actual PE Digest

  c3:2e:70:90:c7:7e:bb:af:94:5c:09:cf:66:e0:5c:b1:f9:0f:d0:1b:5f:93:d7:ae:96:94:61:f0:bc:b2:63:83

  Digest Algorithm

  sha256

  PE Digest Matches

  true

  Headers

  DLL Characteristics

  IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE

  IMAGE_DLLCHARACTERISTICS_NX_COMPAT

  File Characteristics

  IMAGE_FILE_EXECUTABLE_IMAGE

  IMAGE_FILE_LINE_NUMS_STRIPPED

  IMAGE_FILE_LOCAL_SYMS_STRIPPED

  IMAGE_FILE_32BIT_MACHINE

  IMAGE_FILE_DEBUG_STRIPPED

  Imports

  advapi32

  CryptAcquireContextA

  CryptAcquireContextW

  CryptCreateHash

  CryptDecrypt

  CryptDestroyHash

  CryptDestroyKey

  CryptEnumProvidersW

  CryptExportKey

  CryptGenRandom

  CryptGetHashParam

  CryptGetProvParam

  CryptGetUserKey

  CryptHashData

  CryptReleaseContext

  CryptSetHashParam

  CryptSignHashW

  DeregisterEventSource

  RegCloseKey

  RegEnumKeyExA

  RegNotifyChangeKeyValue

  RegOpenKeyExA

  RegOpenKeyExW

  RegQueryValueExA

  RegisterEventSourceW

  ReportEventW

  SystemFunction036

  bcrypt

  BCryptGenRandom

  crypt32

  CertCloseStore

  CertDuplicateCertificateContext

  CertEnumCertificatesInStore

  CertFindCertificateInStore

  CertFreeCertificateContext

  CertGetCertificateContextProperty

  CertGetEnhancedKeyUsage

  CertGetIntendedKeyUsage

  CertOpenStore

  CertOpenSystemStoreA

  CertOpenSystemStoreW

  gdi32

  BitBlt

  CreateCompatibleBitmap

  CreateCompatibleDC

  DeleteDC

  DeleteObject

  GetDeviceCaps

  SelectObject

  gdiplus

  GdipGetImageEncoders

  GdipGetImageEncodersSize

  GdiplusShutdown

  GdiplusStartup

  iphlpapi

  ConvertInterfaceIndexToLuid

  ConvertInterfaceLuidToNameA

  FreeMibTable

  GetAdaptersAddresses

  GetBestRoute2

  GetUnicastIpAddressTable

  if_indextoname

  if_nametoindex

  kernel32

  AcquireSRWLockExclusive

  CancelIo

  CloseHandle

  CompareFileTime

  ConvertFiberToThread

  ConvertThreadToFiberEx

  CreateEventA

  CreateFiberEx

  CreateFileA

  CreateFileMappingA

  CreateIoCompletionPort

  CreateMutexA

  CreateSemaphoreW

  CreateThread

  CreateToolhelp32Snapshot

  DeleteCriticalSection

  DeleteFiber

  EnterCriticalSection

  ExpandEnvironmentStringsA

  FindClose

  FindFirstFileA

  FindFirstFileW

  FindNextFileW

  FormatMessageW

  FreeLibrary

  GetACP

  GetConsoleMode

  GetCurrentProcessId

  GetCurrentThreadId

  GetDiskFreeSpaceExA

  GetDriveTypeA

  GetEnvironmentVariableA

  GetEnvironmentVariableW

  GetFileAttributesA

  GetFileType

  GetLastError

  GetLogicalDriveStringsA

  GetModuleFileNameA

  GetModuleHandleA

  GetModuleHandleExW

  GetModuleHandleW

  GetNativeSystemInfo

  GetOverlappedResult

  GetProcAddress

  GetProcessHeap

  GetQueuedCompletionStatusEx

  GetStartupInfoA

  GetStdHandle

  GetSystemDirectoryA

  GetSystemInfo

  GetSystemTime

  GetSystemTimeAsFileTime

  GetThreadLocale

  GetTickCount64

  GetTickCount

  GetTimeZoneInformation

  GetVersion

  GetVersionExA

  GlobalMemoryStatusEx

  HeapAlloc

  HeapFree

  InitializeConditionVariable

  InitializeCriticalSection

  IsBadReadPtr

  IsDBCSLeadByteEx

  K32EnumProcesses

  LeaveCriticalSection

  LoadLibraryA

  LoadLibraryW

  MapViewOfFile

  MoveFileExA

  MultiByteToWideChar

  OpenProcess

  PeekNamedPipe

  PostQueuedCompletionStatus

  Process32First

  Process32Next

  QueryFullProcessImageNameA

  QueryPerformanceCounter

  QueryPerformanceFrequency

  ReadConsoleA

  ReadConsoleW

  ReadFile

  RegisterWaitForSingleObject

  ReleaseSRWLockExclusive

  ReleaseSemaphore

  SetConsoleMode

  SetFileCompletionNotificationModes

  SetHandleInformation

  SetLastError

  SetUnhandledExceptionFilter

  Sleep

  SleepConditionVariableCS

  SleepEx

  SwitchToFiber

  SystemTimeToFileTime

  TlsAlloc

  TlsGetValue

  TlsSetValue

  UnmapViewOfFile

  UnregisterWait

  VerSetConditionMask

  VerifyVersionInfoW

  VirtualAlloc

  VirtualFree

  VirtualLock

  VirtualProtect

  VirtualQuery

  WaitForMultipleObjects

  WaitForSingleObject

  WaitNamedPipeA

  WakeAllConditionVariable

  WakeConditionVariable

  WideCharToMultiByte

  WriteFile

  lstrlenA

  msvcrt

  __mb_cur_max

  __setusermatherr

  _findclose

  _fullpath

  _lock

  _strnicmp

  _unlock

  getc

  islower

  isxdigit

  localeconv

  ungetc

  vfprintf

  _findnext

  _findfirst

  _open

  ole32

  CreateStreamOnHGlobal

  shell32

  SHGetKnownFolderPath

  api-ms-win-crt-convert-l1-1-0

  atoi

  mbstowcs

  strtol

  strtoll

  strtoul

  wcstombs

  api-ms-win-crt-environment-l1-1-0

  __p__environ

  __p__wenviron

  getenv

  api-ms-win-crt-filesystem-l1-1-0

  _fstat64

  _stat64

  _unlink

  api-ms-win-crt-heap-l1-1-0

  _set_new_mode

  calloc

  free

  malloc

  realloc

  api-ms-win-crt-locale-l1-1-0

  setlocale

  api-ms-win-crt-math-l1-1-0

  _fdopen

  api-ms-win-crt-private-l1-1-0

  memchr

  memcmp

  memcpy

  memmove

  strchr

  strrchr

  strstr

  wcsstr

  api-ms-win-crt-runtime-l1-1-0

  _set_app_type

  __p___argc

  __p___argv

  __p___wargv

  __p__acmdln

  __sys_errlist

  __sys_nerr

  _assert

  _cexit

  _configure_narrow_argv

  _configure_wide_argv

  _crt_at_quick_exit

  _crt_atexit

  _errno

  _exit

  _fpreset

  _initialize_narrow_environment

  _initialize_wide_environment

  _initterm

  _set_invalid_parameter_handler

  abort

  exit

  raise

  signal

  strerror

  api-ms-win-crt-stdio-l1-1-0

  __acrt_iob_func

  __p__commode

  __p__fmode

  __stdio_common_vfwprintf

  __stdio_common_vsprintf

  __stdio_common_vsscanf

  __stdio_common_vswprintf

  _fileno

  _fseeki64

  _lseeki64

  _wfopen

  _write

  fclose

  feof

  ferror

  fflush

  fgets

  fopen

  fputc

  fputs

  fread

  fseek

  ftell

  fwrite

  rewind

  setvbuf

  _write

  _setmode

  _read

  _open

  _fileno

  _close

  api-ms-win-crt-string-l1-1-0

  _strlwr_s

  isspace

  isupper

  memset

  strcat

  strcmp

  strcpy

  strcspn

  strlen

  strncat

  strncmp

  strncpy

  strpbrk

  strspn

  tolower

  wcscat

  wcscmp

  wcscpy

  wcslen

  _wcsnicmp

  _stricmp

  _strdup

  _strdup

  api-ms-win-crt-time-l1-1-0

  __daylight

  __timezone

  __tzname

  _difftime32

  _difftime64

  _gmtime64

  _mktime64

  _time32

  _time64

  _tzset

  strftime

  api-ms-win-crt-utility-l1-1-0

  _byteswap_uint64

  bsearch

  qsort

  rand

  srand

  user32

  CharUpperA

  EnumDisplayMonitors

  EnumWindows

  FindWindowA

  GetDC

  GetProcessWindowStation

  GetSystemMetrics

  GetUserObjectInformationW

  GetWindowTextA

  MessageBoxW

  ReleaseDC

  SendMessageA

  ws2_32

  WSACleanup

  WSACloseEvent

  WSACreateEvent

  WSAEnumNetworkEvents

  WSAEventSelect

  WSAGetLastError

  WSAIoctl

  WSAResetEvent

  WSASetEvent

  WSASetLastError

  WSAStartup

  WSAStringToAddressW

  WSAWaitForMultipleEvents

  __WSAFDIsSet

  accept

  bind

  closesocket

  connect

  gethostbyaddr

  gethostbyname

  gethostname

  getpeername

  getservbyname

  getservbyport

  getsockname

  getsockopt

  htonl

  htons

  inet_addr

  inet_ntoa

  ioctlsocket

  listen

  ntohl

  ntohs

  recv

  recvfrom

  select

  send

  sendto

  setsockopt

  shutdown

  socket

  Sections

  .text

  Size: 5.1MB - Virtual size: 5.1MB

  IMAGE_SCN_CNT_CODE

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_EXECUTE

  IMAGE_SCN_MEM_READ

  .data

  Size: 951KB - Virtual size: 950KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  IMAGE_SCN_MEM_WRITE

  .rdata

  Size: 1.3MB - Virtual size: 1.3MB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  .eh_fram

  Size: 19KB - Virtual size: 19KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  .bss

  Size: - Virtual size: 12KB

  IMAGE_SCN_CNT_UNINITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  IMAGE_SCN_MEM_WRITE

  .idata

  Size: 11KB - Virtual size: 11KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  IMAGE_SCN_MEM_WRITE

  .CRT

  Size: 512B - Virtual size: 48B

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  IMAGE_SCN_MEM_WRITE

  .tls

  Size: 512B - Virtual size: 8B

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  IMAGE_SCN_MEM_WRITE

  .reloc

  Size: 211KB - Virtual size: 211KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_DISCARDABLE

  IMAGE_SCN_MEM_READ