73aef46a3e98adde168e55433bd3d5e90afeab182ff59be3579bedfb355b7470

Summary

Architecture IMAGE_FILE_MACHINE_AMD64
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
Compilation Date 2046-Apr-06 03:29:01
Detected languages English - United States
Debug artifacts bfsvc.pdb
CompanyName Microsoft Corporation
FileDescription Boot File Servicing Utility
FileVersion 10.0.26100.7920 (WinBuild.160101.0800)
InternalName bfsvc.exe
LegalCopyright © Microsoft Corporation. All rights reserved.
OriginalFilename bfsvc.exe
ProductName Microsoft® Windows® Operating System
ProductVersion 10.0.26100.7920

Plugin Output

Info Matching compiler(s): Microsoft Visual C++ 8.0
Suspicious The PE is possibly packed. Unusual section name found: fothk
Malicious The PE contains functions mostly used by malware. [!] The program may be hiding some of its imports:
  • GetProcAddress
  • LoadLibraryExW
 Functions which can be used for anti-debugging purposes:
  • NtQueryInformationProcess
  • NtQuerySystemInformation
 Can access the registry:
  • RegOpenKeyExW
  • RegQueryValueExW
  • RegCloseKey
 Uses Windows's Native API:
  • NtEnumerateBootEntries
  • NtQueryDirectoryObject
  • NtOpenDirectoryObject
  • NtTranslateFilePath
  • NtQueryBootOptions
  • NtQueryBootEntryOrder
  • NtQueryValueKey
  • NtQuerySymbolicLinkObject
  • NtOpenKey
  • NtOpenSymbolicLinkObject
  • NtOpenThreadTokenEx
  • NtOpenProcessTokenEx
  • NtAdjustPrivilegesToken
  • NtSetInformationFile
  • NtQuerySystemEnvironmentValueEx
  • NtOpenFile
  • NtQueryInformationThread
  • NtQueryInformationFile
  • NtDeviceIoControlFile
  • NtSetInformationThread
  • NtReadFile
  • NtOpenProcess
  • NtQueryInformationProcess
  • NtClose
  • NtWriteFile
  • NtQuerySystemInformation
 Functions related to the privilege level:
  • OpenProcessToken
  • AdjustTokenPrivileges
  • DuplicateTokenEx
 Enumerates local disk drives:
  • GetVolumeInformationW
 Manipulates other processes:
  • NtOpenProcess
 Changes object ACLs:
  • SetNamedSecurityInfoW
Safe VirusTotal score: 0/72 (Scanned on 2026-04-13 21:44:59) All the AVs think this file is safe.

Hashes

MD5 7780c073701332978ead99072e419e0d
SHA1 5d931fd70d1a802cadbf62f9d87f6bd8fe27a2a2
SHA256 73aef46a3e98adde168e55433bd3d5e90afeab182ff59be3579bedfb355b7470
SHA3 2e0aa94e42e6a2294c382366105cf9dd1d42e7bf75dc8e327080f3dc1f9beb7d
SSDeep 1536:zJrxrAcplocqX9XJqxnRQ97lzdI7B2mOAa3jOvCCJ+Z5NVgPT8KCyxKMg:zJrxs0mxJBtI7BYArCjZ5NePT8Kd4F
Imports Hash c4ab1a38c4625d055bbfedfdf1e0eab5

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xf8

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_AMD64
NumberofSections 7
TimeDateStamp 2046-Apr-06 03:29:01
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xf0
Characteristics IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Image Optional Header

Magic PE32+
LinkerVersion 14.0
SizeOfCode 0x10000
SizeOfInitializedData 0xe000
SizeOfUninitializedData 0
AddressOfEntryPoint 0x0000000000001620 (Section: .text)
BaseOfCode 0x1000
ImageBase 0x140000000
SectionAlignment 0x1000
FileAlignment 0x1000
OperatingSystemVersion A.0
ImageVersion A.0
SubsystemVersion 6.0
Win32VersionValue 0
SizeOfImage 0x1f000
SizeOfHeaders 0x1000
Checksum 0x20298
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x80000
SizeofStackCommit 0x2000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 6c1e0a9cef5b9362b02fe31f5797f2a6
SHA1 c8c5fe5cc6b095c68c4c5527d07981039cbf82ff
SHA256 51b45288a96b14e86b35572bce4e4c6111682de07f4504f9bf474366f1a2a679
SHA3 d42f13e84a2d5b32ea9aa73b237149c69304abc7d5460644c0496ed564edd74f
VirtualSize 0xee20
VirtualAddress 0x1000
SizeOfRawData 0xf000
PointerToRawData 0x1000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.10412

fothk

MD5 9c88b001c07b313443b7ccc4d7eb9908
SHA1 1c414412d76e7437a0282ceb20f7b09b44944370
SHA256 3e85c7dd0d7fe1306facd8ac520fa0f0a0bf4f057cb6429d08532ba3ad79dc17
SHA3 fec5528b4f93c8d303cd68ca10ee5c96184b4173702e2c6cd3c161165e41f26e
VirtualSize 0x1000
VirtualAddress 0x10000
SizeOfRawData 0x1000
PointerToRawData 0x10000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 0.0159202

.rdata

MD5 bb345bb211b671539d27c86cb96f8ea4
SHA1 6842703fff1df18de5199c65c6beb11c41e6ff79
SHA256 b0262986075b46d78c1eaa186ec702eef79c84c1d838ced06aaa34ced83d6176
SHA3 996a076a7dbb4b727a3264ccf3928ec452d6c0d611dd58860b353fa107717fa7
VirtualSize 0x994c
VirtualAddress 0x11000
SizeOfRawData 0xa000
PointerToRawData 0x11000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.10037

.data

MD5 afe30e0d77f8b49c7c755d4ca02464a9
SHA1 2b542232e29c88873a0615c8812fcc3f8f3f3bfd
SHA256 59d5b35eaac6e665d41cef3a1d68bb4e899cceab129e9fcab37d869283ca32fa
SHA3 8eed127ee3a05a6f7a7951bc7aa72dc144a75ce02072c832b163efb89fe98457
VirtualSize 0x890
VirtualAddress 0x1b000
SizeOfRawData 0x1000
PointerToRawData 0x1b000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 0.146726

.pdata

MD5 4fe3e404dd4612c055bede648c1aa579
SHA1 26d7199ae1c3cea8ac3f67ea97cf95ae0ea070fc
SHA256 a151f30261d28f202602258a936b5b305656d170613b89c2802a05033741bb5f
SHA3 747ed638d7edfca91e72e910f813bce77c2e026eeb57d26c3c73296c1052656f
VirtualSize 0x678
VirtualAddress 0x1c000
SizeOfRawData 0x1000
PointerToRawData 0x1c000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 2.34712

.rsrc

MD5 a67b4925336278eef42ad534c2e60681
SHA1 c9c6bc8e4d978bff62a9164576653454a439fd34
SHA256 7c22a3a2cf938c123a56da4885c696fab3df6b5c0a5998940c411dbd3a865470
SHA3 d30513fb42a752f86205b140403bed49c447faf6ba7800302422a278e459aee7
VirtualSize 0x818
VirtualAddress 0x1d000
SizeOfRawData 0x1000
PointerToRawData 0x1d000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 2.61612

.reloc

MD5 cfefb9cdf450ea96adbae5f0fcdea355
SHA1 2cd7b6f6f16667d1d4ab3e6dd3e358ac491d8d25
SHA256 e7f9c8f18f032947f867e4cd12629488ac4b743ac1351b20922cf5f4fc647ecc
SHA3 3cb1c118c1caaeabb21f5222d967f786e262096e9a2f800b37383a7105568770
VirtualSize 0xb8
VirtualAddress 0x1e000
SizeOfRawData 0x1000
PointerToRawData 0x1e000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 0.274638

Imports

msvcrt.dll __C_specific_handler
wcschr
fflush
_initterm
_vsnwprintf_s
fwprintf
swprintf_s
memcpy
__setusermatherr
_cexit
_wcmdln
_exit
wcsrchr
wcsstr
_wcsnicmp
_commode
_snwscanf_s
memset
?terminate@@YAXXZ
_wcsicmp
_vsnwprintf
_wcslwr
_fmode
wcsnlen
wcsncmp
exit
__set_app_type
__iob_func
__wgetmainargs
_amsg_exit
_XcptFilter
memcmp
wcscmp
RPCRT4.dll UuidCreate
bcrypt.dll BCryptDestroyHash
BCryptCloseAlgorithmProvider
BCryptFinishHash
BCryptHashData
BCryptCreateHash
BCryptOpenAlgorithmProvider
WINTRUST.dll WTHelperProvDataFromStateData
WTHelperGetProvSignerFromChain
WinVerifyTrust
CRYPT32.dll CertGetNameStringW
imagehlp.dll CheckSumMappedFile
ntdll.dll NtEnumerateBootEntries
NtQueryDirectoryObject
NtOpenDirectoryObject
NtTranslateFilePath
NtQueryBootOptions
NtQueryBootEntryOrder
NtQueryValueKey
NtQuerySymbolicLinkObject
NtOpenKey
NtOpenSymbolicLinkObject
RtlImpersonateSelf
NtOpenThreadTokenEx
NtOpenProcessTokenEx
NtAdjustPrivilegesToken
RtlFreeHeap
RtlAllocateHeap
NtSetInformationFile
NtQuerySystemEnvironmentValueEx
LdrAccessResource
LdrFindResource_U
NtOpenFile
NtQueryInformationThread
NtQueryInformationFile
RtlImageNtHeader
NtDeviceIoControlFile
NtSetInformationThread
NtReadFile
NtOpenProcess
NtQueryInformationProcess
RtlNtStatusToDosError
NtClose
RtlInitUnicodeString
NtWriteFile
NtQuerySystemInformation
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
api-ms-win-core-registry-l1-1-0.dll RegOpenKeyExW
RegQueryValueExW
RegCloseKey
api-ms-win-shcore-obsolete-l1-1-0.dll CommandLineToArgvW
api-ms-win-core-errorhandling-l1-1-0.dll SetLastError
GetLastError
SetUnhandledExceptionFilter
UnhandledExceptionFilter
api-ms-win-core-heap-l2-1-0.dll LocalFree
LocalAlloc
api-ms-win-core-synch-l1-2-0.dll Sleep
api-ms-win-core-processthreads-l1-1-0.dll GetCurrentThread
OpenProcessToken
TerminateProcess
SetThreadToken
GetStartupInfoW
OpenThreadToken
GetCurrentProcessId
GetCurrentThreadId
GetCurrentProcess
api-ms-win-core-libraryloader-l1-2-0.dll GetProcAddress
GetModuleHandleW
FreeLibrary
GetModuleHandleExW
LoadLibraryExW
api-ms-win-core-profile-l1-1-0.dll QueryPerformanceCounter
api-ms-win-core-sysinfo-l1-1-0.dll GetTickCount
GetSystemTimeAsFileTime
api-ms-win-core-file-l1-1-0.dll FindClose
WriteFile
FindNextFileW
FindFirstFileW
GetVolumeInformationW
CreateFileW
GetFileAttributesW
SetFileAttributesW
CreateDirectoryW
DeleteFileW
GetFileSizeEx
FindNextFileNameW
FlushFileBuffers
GetFullPathNameW
GetLongPathNameW
FindFirstFileNameW
SetFileInformationByHandle
GetFileInformationByHandle
GetVolumePathNameW
api-ms-win-core-heap-l1-1-0.dll GetProcessHeap
HeapFree
HeapAlloc
api-ms-win-core-privateprofile-l1-1-0.dll GetPrivateProfileSectionW
api-ms-win-core-file-l1-2-0.dll GetVolumeNameForVolumeMountPointW
api-ms-win-core-handle-l1-1-0.dll CloseHandle
api-ms-win-core-file-l2-1-0.dll CopyFileExW
MoveFileExW
GetFileInformationByHandleEx
api-ms-win-eventing-provider-l1-1-0.dll EventRegister
EventWriteTransfer
EventUnregister
api-ms-win-core-shlwapi-legacy-l1-1-0.dll PathRemoveBackslashW
api-ms-win-core-io-l1-1-0.dll DeviceIoControl
api-ms-win-core-memory-l1-1-0.dll CreateFileMappingW
UnmapViewOfFile
MapViewOfFile
api-ms-win-security-base-l1-1-0.dll GetTokenInformation
GetSecurityDescriptorControl
GetSecurityDescriptorOwner
GetSecurityDescriptorGroup
AdjustTokenPrivileges
DuplicateTokenEx
GetSecurityDescriptorSacl
GetSecurityDescriptorDacl
api-ms-win-security-sddl-l1-1-0.dll ConvertStringSecurityDescriptorToSecurityDescriptorW
ConvertSidToStringSidW
api-ms-win-security-provider-l1-1-0.dll SetNamedSecurityInfoW
api-ms-win-security-lsalookup-l2-1-0.dll LookupPrivilegeValueW

Delayed Imports

1

Type MUI
Language English - United States
Codepage UNKNOWN
Size 0xc8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.69061
MD5 76e72144b62d69d9d389742807a6828e
SHA1 9df9973862790de39dfb573f9e1e440355dacc04
SHA256 3b11864f5d55c18a71bdbb41a03511404251b7f1e024063ff56c31eec2f8176f
SHA3 9aa4611f03a92de617d79e3cc1eb9320a13e0cd1d7da62a0c1afabc37cac844f

1 (#2)

Type RT_VERSION
Language English - United States
Codepage UNKNOWN
Size 0x39c
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.52471
MD5 bfd6dc19e09605e29ef0e7d5e09d8c07
SHA1 ba25fd58fab77cdb13fd7d1306e89a678bd80c62
SHA256 9413f6654a2f16eafe666afc02218c28803f3a55753fd6a9f8eea593a006c086
SHA3 01ff6de94bd23b97e54bc0766f122a2300ea0f1f5b2f0a6fa1bf0159fc7b1f47

1 (#3)

Type RT_MANIFEST
Language English - United States
Codepage UNKNOWN
Size 0x2ba
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.89983
MD5 f0879271ddaf85b13fd3ffbc67e5f24f
SHA1 553e904bb00cec087caca6a1cf144da4abaf76cb
SHA256 d4a6f4bc585aeaaec7cead9f8b35c76db10d489e757a9b69522bb670ae50eb6a
SHA3 c439121aa729fca9bac43b22677098865977d856fa76783b970ccaf9733c6db2

Version Info

Signature 0xfeef04bd
StructVersion 0x10000
FileVersion 10.0.26100.7920
ProductVersion 10.0.26100.7920
FileFlags (EMPTY)
FileOs VOS_DOS_WINDOWS32
VOS_NT
VOS_NT_WINDOWS32
VOS_WINCE
VOS__WINDOWS32
FileType VFT_APP
Language English - United States
CompanyName Microsoft Corporation
FileDescription Boot File Servicing Utility
FileVersion (#2) 10.0.26100.7920 (WinBuild.160101.0800)
InternalName bfsvc.exe
LegalCopyright © Microsoft Corporation. All rights reserved.
OriginalFilename bfsvc.exe
ProductName Microsoft® Windows® Operating System
ProductVersion (#2) 10.0.26100.7920
Resource LangID English - United States

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics 0
TimeDateStamp 2046-Apr-06 03:29:01
Version 0.0
SizeofData 34
AddressOfRawData 0x18438
PointerToRawData 0x18438
Referenced File bfsvc.pdb

IMAGE_DEBUG_TYPE_POGO

Characteristics 0
TimeDateStamp 2046-Apr-06 03:29:01
Version 0.0
SizeofData 768
AddressOfRawData 0x1845c
PointerToRawData 0x1845c

UNKNOWN

Characteristics 0
TimeDateStamp 2046-Apr-06 03:29:01
Version 0.0
SizeofData 36
AddressOfRawData 0x18784
PointerToRawData 0x18784

UNKNOWN (#2)

Characteristics 0
TimeDateStamp 2046-Apr-06 03:29:01
Version 0.0
SizeofData 4
AddressOfRawData 0x187a8
PointerToRawData 0x187a8

TLS Callbacks

Load Configuration

Size 0x148
TimeDateStamp 1970-Jan-01 00:00:00
Version 0.0
GlobalFlagsClear (EMPTY)
GlobalFlagsSet (EMPTY)
CriticalSectionDefaultTimeout 0
DeCommitFreeBlockThreshold 0
DeCommitTotalFreeThreshold 0
LockPrefixTable 0
MaximumAllocationSize 0
VirtualMemoryThreshold 0
ProcessAffinityMask 0
ProcessHeapFlags (EMPTY)
CSDVersion 0
Reserved1 0
EditList 0
SecurityCookie 0x14001b100
GuardCFCheckFunctionPointer 5368780648
GuardCFDispatchFunctionPointer 0
GuardCFFunctionTable 0
GuardCFFunctionCount 0
GuardFlags (EMPTY)
CodeIntegrity.Flags 0
CodeIntegrity.Catalog 0
CodeIntegrity.CatalogOffset 0
CodeIntegrity.Reserved 0
GuardAddressTakenIatEntryTable 0
GuardAddressTakenIatEntryCount 0
GuardLongJumpTargetTable 0
GuardLongJumpTargetCount 0

RICH Header

XOR Key 0xb3175696
Unmarked objects 0
Imports (VS2008 SP1 build 30729) 64
C++ objects (33145) 2
Unmarked objects (#2) 1
ASM objects (33145) 4
C objects (33145) 21
Total imports 281
Imports (33145) 15
C objects (LTCG) (33145) 42
Resource objects (33145) 1
Linker (33145) 1

Errors

Leave a comment

No comments yet.