Architecture |
IMAGE_FILE_MACHINE_AMD64
|
---|---|
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_CUI
|
Compilation Date | 1984-Oct-28 12:46:15 |
Detected languages |
English - United States
|
Debug artifacts |
bfsvc.pdb
|
CompanyName | Microsoft Corporation |
FileDescription | Boot File Servicing Utility |
FileVersion | 10.0.18362.1 (WinBuild.160101.0800) |
InternalName | bfsvc.exe |
LegalCopyright | © Microsoft Corporation. All rights reserved. |
OriginalFilename | bfsvc.exe |
ProductName | Microsoft® Windows® Operating System |
ProductVersion | 10.0.18362.1 |
Malicious | The PE contains functions mostly used by malware. |
[!] The program may be hiding some of its imports:
|
Safe | VirusTotal score: 0/70 (Scanned on 2020-02-11 18:31:24) | All the AVs think this file is safe. |
e_magic | MZ |
---|---|
e_cblp | 0x90 |
e_cp | 0x3 |
e_crlc | 0 |
e_cparhdr | 0x4 |
e_minalloc | 0 |
e_maxalloc | 0xffff |
e_ss | 0 |
e_sp | 0xb8 |
e_csum | 0 |
e_ip | 0 |
e_cs | 0 |
e_ovno | 0 |
e_oemid | 0 |
e_oeminfo | 0 |
e_lfanew | 0xe8 |
Signature | PE |
---|---|
Machine |
IMAGE_FILE_MACHINE_AMD64
|
NumberofSections | 6 |
TimeDateStamp | 1984-Oct-28 12:46:15 |
PointerToSymbolTable | 0 |
NumberOfSymbols | 0 |
SizeOfOptionalHeader | 0xf0 |
Characteristics |
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
|
Magic | PE32+ |
---|---|
LinkerVersion | 14.0 |
SizeOfCode | 0xa200 |
SizeOfInitializedData | 0x7e00 |
SizeOfUninitializedData | 0 |
AddressOfEntryPoint | 0x000000000000A920 (Section: .text) |
BaseOfCode | 0x1000 |
ImageBase | 0x140000000 |
SectionAlignment | 0x1000 |
FileAlignment | 0x200 |
OperatingSystemVersion | A.0 |
ImageVersion | A.0 |
SubsystemVersion | 6.0 |
Win32VersionValue | 0 |
SizeOfImage | 0x17000 |
SizeOfHeaders | 0x400 |
Checksum | 0x1d0bb |
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_CUI
|
DllCharacteristics |
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
|
SizeofStackReserve | 0x80000 |
SizeofStackCommit | 0x2000 |
SizeofHeapReserve | 0x100000 |
SizeofHeapCommit | 0x1000 |
LoaderFlags | 0 |
NumberOfRvaAndSizes | 16 |
ADVAPI32.dll |
RegQueryValueExW
RegOpenKeyExW RegCloseKey LookupPrivilegeValueW GetSecurityDescriptorSacl AdjustTokenPrivileges GetSecurityDescriptorDacl GetSecurityDescriptorGroup SetNamedSecurityInfoW GetSecurityDescriptorControl GetSecurityDescriptorOwner OpenProcessToken ConvertSidToStringSidW ConvertStringSecurityDescriptorToSecurityDescriptorW OpenThreadToken GetTokenInformation |
---|---|
KERNEL32.dll |
UnmapViewOfFile
GetLastError LocalFree Sleep GetStartupInfoW SetUnhandledExceptionFilter GetModuleHandleW QueryPerformanceCounter GetCurrentProcessId GetCurrentThreadId GetSystemTimeAsFileTime GetTickCount UnhandledExceptionFilter GetCurrentProcess TerminateProcess GetVolumeInformationW FindFirstFileW HeapFree SetLastError FindNextFileW WriteFile GetPrivateProfileSectionW FindClose GetVolumePathNameW CreateFileW GetFileAttributesW SetFileAttributesW HeapAlloc MoveFileExW GetProcessHeap CopyFileExW GetFileInformationByHandle GetFullPathNameW FreeLibrary LoadLibraryExW GetProcAddress FlushFileBuffers MapViewOfFile CreateFileMappingW CloseHandle GetCurrentThread GetVolumeNameForVolumeMountPointW DeviceIoControl GetFileSizeEx CreateDirectoryW |
msvcrt.dll |
wcsstr
_snwscanf_s _wcslwr wcsnlen __iob_func _wcsnicmp swprintf_s memset fflush wcschr wcsrchr memcpy ?terminate@@YAXXZ _commode _fmode _wcmdln __C_specific_handler _initterm __setusermatherr _cexit _exit exit __set_app_type __wgetmainargs _amsg_exit _XcptFilter _wcsicmp _vsnwprintf fwprintf _vsnwprintf_s |
RPCRT4.dll |
UuidCreate
|
imagehlp.dll |
CheckSumMappedFile
|
SHELL32.dll |
CommandLineToArgvW
|
SHLWAPI.dll |
PathRemoveBackslashW
|
ntdll.dll |
NtEnumerateBootEntries
NtQueryDirectoryObject NtOpenDirectoryObject NtTranslateFilePath NtQueryBootOptions NtQueryBootEntryOrder NtQueryValueKey NtQuerySymbolicLinkObject NtOpenKey NtOpenSymbolicLinkObject RtlImpersonateSelf NtOpenThreadTokenEx NtOpenProcessTokenEx NtAdjustPrivilegesToken RtlFreeHeap RtlAllocateHeap NtSetInformationFile LdrAccessResource LdrFindResource_U NtOpenFile NtQueryInformationThread NtQueryInformationFile RtlImageNtHeader NtDeviceIoControlFile NtSetInformationThread NtReadFile NtOpenProcess NtQueryInformationProcess RtlNtStatusToDosError NtClose RtlInitUnicodeString NtWriteFile NtQuerySystemInformation RtlVirtualUnwind RtlLookupFunctionEntry RtlCaptureContext |
Signature | 0xfeef04bd |
---|---|
StructVersion | 0x10000 |
FileVersion | 10.0.18362.1 |
ProductVersion | 10.0.18362.1 |
FileFlags | (EMPTY) |
FileOs |
VOS_DOS_WINDOWS32
VOS_NT
VOS_NT_WINDOWS32
VOS_WINCE
VOS__WINDOWS32
|
FileType |
VFT_APP
|
Language | English - United States |
CompanyName | Microsoft Corporation |
FileDescription | Boot File Servicing Utility |
FileVersion (#2) | 10.0.18362.1 (WinBuild.160101.0800) |
InternalName | bfsvc.exe |
LegalCopyright | © Microsoft Corporation. All rights reserved. |
OriginalFilename | bfsvc.exe |
ProductName | Microsoft® Windows® Operating System |
ProductVersion (#2) | 10.0.18362.1 |
Resource LangID | English - United States |
---|
Characteristics |
0
|
---|---|
TimeDateStamp | 1984-Oct-28 12:46:15 |
Version | 0.0 |
SizeofData | 34 |
AddressOfRawData | 0x10a58 |
PointerToRawData | 0xf058 |
Referenced File | bfsvc.pdb |
Characteristics |
0
|
---|---|
TimeDateStamp | 1984-Oct-28 12:46:15 |
Version | 0.0 |
SizeofData | 516 |
AddressOfRawData | 0x10a7c |
PointerToRawData | 0xf07c |
Characteristics |
0
|
---|---|
TimeDateStamp | 1984-Oct-28 12:46:15 |
Version | 0.0 |
SizeofData | 36 |
AddressOfRawData | 0x10c80 |
PointerToRawData | 0xf280 |
Size | 0x108 |
---|---|
TimeDateStamp | 1970-Jan-01 00:00:00 |
Version | 0.0 |
GlobalFlagsClear | (EMPTY) |
GlobalFlagsSet | (EMPTY) |
CriticalSectionDefaultTimeout | 0 |
DeCommitFreeBlockThreshold | 0 |
DeCommitTotalFreeThreshold | 0 |
LockPrefixTable | 0 |
MaximumAllocationSize | 0 |
VirtualMemoryThreshold | 0 |
ProcessAffinityMask | 0 |
ProcessHeapFlags | (EMPTY) |
CSDVersion | 0 |
Reserved1 | 0 |
EditList | 0 |
SecurityCookie | 0x140013028 |
GuardCFCheckFunctionPointer | 5368759664 |
GuardCFDispatchFunctionPointer | 0 |
GuardCFFunctionTable | 0 |
GuardCFFunctionCount | 0 |
GuardFlags | (EMPTY) |
CodeIntegrity.Flags | 0 |
CodeIntegrity.Catalog | 0 |
CodeIntegrity.CatalogOffset | 0 |
CodeIntegrity.Reserved | 0 |
GuardAddressTakenIatEntryTable | 0 |
GuardAddressTakenIatEntryCount | 0 |
GuardLongJumpTargetTable | 0 |
GuardLongJumpTargetCount | 0 |
XOR Key | 0x26770d17 |
---|---|
Unmarked objects | 0 |
C++ objects (26715) | 2 |
ASM objects (26715) | 3 |
C objects (26715) | 19 |
Imports (26715) | 19 |
Total imports | 246 |
264 (26715) | 35 |
Resource objects (26715) | 1 |
Linker (26715) | 1 |