b75d52e7dbeef44a2c3324a2ce0272c9

Summary

Architecture IMAGE_FILE_MACHINE_AMD64
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
Compilation Date 1984-Oct-28 12:46:15
Detected languages English - United States
Debug artifacts bfsvc.pdb
CompanyName Microsoft Corporation
FileDescription Boot File Servicing Utility
FileVersion 10.0.18362.1 (WinBuild.160101.0800)
InternalName bfsvc.exe
LegalCopyright © Microsoft Corporation. All rights reserved.
OriginalFilename bfsvc.exe
ProductName Microsoft® Windows® Operating System
ProductVersion 10.0.18362.1

Plugin Output

Malicious The PE contains functions mostly used by malware. [!] The program may be hiding some of its imports:
  • LoadLibraryExW
  • GetProcAddress
Functions which can be used for anti-debugging purposes:
  • NtQueryInformationProcess
  • NtQuerySystemInformation
Can access the registry:
  • RegQueryValueExW
  • RegOpenKeyExW
  • RegCloseKey
Uses Windows's Native API:
  • NtEnumerateBootEntries
  • NtQueryDirectoryObject
  • NtOpenDirectoryObject
  • NtTranslateFilePath
  • NtQueryBootOptions
  • NtQueryBootEntryOrder
  • NtQueryValueKey
  • NtQuerySymbolicLinkObject
  • NtOpenKey
  • NtOpenSymbolicLinkObject
  • NtOpenThreadTokenEx
  • NtOpenProcessTokenEx
  • NtAdjustPrivilegesToken
  • NtSetInformationFile
  • NtOpenFile
  • NtQueryInformationThread
  • NtQueryInformationFile
  • NtDeviceIoControlFile
  • NtSetInformationThread
  • NtReadFile
  • NtOpenProcess
  • NtQueryInformationProcess
  • NtClose
  • NtWriteFile
  • NtQuerySystemInformation
Functions related to the privilege level:
  • AdjustTokenPrivileges
  • OpenProcessToken
Enumerates local disk drives:
  • GetVolumeInformationW
Manipulates other processes:
  • NtOpenProcess
Changes object ACLs:
  • SetNamedSecurityInfoW
Safe VirusTotal score: 0/70 (Scanned on 2020-02-11 18:31:24) All the AVs think this file is safe.

Hashes

MD5 b75d52e7dbeef44a2c3324a2ce0272c9
SHA1 1f33080674a72e08ba039301070c5310c7f13f23
SHA256 3b0c76dc0eab627c2940124edd5696606783b661737f7a89073c0e8ab65af925
SHA3 ac3c9f4114cfc557666ee61205a63839ab6a6ab98313ad32fd3107985affbba8
SSDeep 1536:8VRuhv3kcGhiwYMvCG/PBYSXtAC3xTkehjgph:8DuhvJGgwPPiSn+ehK
Imports Hash f41b87798d00b8f15d03bb04c3c82200

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xe8

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_AMD64
NumberofSections 6
TimeDateStamp 1984-Oct-28 12:46:15
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xf0
Characteristics IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Image Optional Header

Magic PE32+
LinkerVersion 14.0
SizeOfCode 0xa200
SizeOfInitializedData 0x7e00
SizeOfUninitializedData 0
AddressOfEntryPoint 0x000000000000A920 (Section: .text)
BaseOfCode 0x1000
ImageBase 0x140000000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion A.0
ImageVersion A.0
SubsystemVersion 6.0
Win32VersionValue 0
SizeOfImage 0x17000
SizeOfHeaders 0x400
Checksum 0x1d0bb
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x80000
SizeofStackCommit 0x2000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 4a8a839b301e291a2ba577f5c1eb7204
SHA1 2793e8a7d25eccc2840e7057869f11070cc27f8a
SHA256 288c813427964523cef9534894cd11dbe1f7ce1d9bf77468e48e0e23542c764f
SHA3 2378b5da258d280164932d90f30e7b57da2235b53620ffe1fda5365a2f104376
VirtualSize 0xa190
VirtualAddress 0x1000
SizeOfRawData 0xa200
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.21463

.rdata

MD5 f6f74e39906d9965e163a09f3a3bf29d
SHA1 7a69092393517331d0f4f74fb150ba111ed71334
SHA256 cc090b81acfbf70dda3c9ba83d2fdd470ea2545d90427013bd95c11b309eb894
SHA3 77c09876537fcac23ed8f99b031425cd0c80cc8b0373ef4c2453cda8b42ef7d9
VirtualSize 0x63b6
VirtualAddress 0xc000
SizeOfRawData 0x6400
PointerToRawData 0xa600
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.1269

.data

MD5 97d3458c8eea506a4dcdc63cf887e87e
SHA1 84ac8a7471074ddcb8d291531a62413549c592da
SHA256 c3dece6ef79b899c2ba185ae6eb52960c9ed9153431af18ad8d22921f3c6eb76
SHA3 2f4d2d124fc27eae6887ea8221d467bc7d208c27e052227e786dc0ff24ddb9be
VirtualSize 0x6a0
VirtualAddress 0x13000
SizeOfRawData 0x200
PointerToRawData 0x10a00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 0.678675

.pdata

MD5 d097f0a80f87af8d046a24f6b1935a60
SHA1 8da8e472211e487a5725a85a8d877698d97a8403
SHA256 eb91297337706945a74cf3958e6d3c5ea971f24b2544c6d2aa6e8472f32b3c8f
SHA3 dd4f964c43feb0b494f9ae020aa666ea5e4635c813545cc87f4aca022eb4099c
VirtualSize 0x570
VirtualAddress 0x14000
SizeOfRawData 0x600
PointerToRawData 0x10c00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.42819

.rsrc

MD5 394511f312ad898bcc43e97b86a8111c
SHA1 ed8a6b05f68e1a6df84475d1c9790e02566b5176
SHA256 4329f6cfce2acab75b95c4ee847511de6a5c17edbfeebb86975e5f42237abfc4
SHA3 38b26b596f82e222afe936dc3d2c5c13283a60a2fae20696f104e1e38beeb111
VirtualSize 0x818
VirtualAddress 0x15000
SizeOfRawData 0xa00
PointerToRawData 0x11200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 3.74056

.reloc

MD5 1bc149f4b2ecdda9dcc8c6eb007b8953
SHA1 0cf97f13cab2874e96d6b4ab882eba6492aaa90f
SHA256 90003453b7edc1d07ca61f46c734e2f2fce475b430b7e26165bb3e6beb6ebc21
SHA3 9b9d0d7cf6360e5abca02b35fe780ba8a374032eb23b5698f8f8dc1b190b5e17
VirtualSize 0x30
VirtualAddress 0x16000
SizeOfRawData 0x200
PointerToRawData 0x11c00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 0.561284

Imports

ADVAPI32.dll RegQueryValueExW
RegOpenKeyExW
RegCloseKey
LookupPrivilegeValueW
GetSecurityDescriptorSacl
AdjustTokenPrivileges
GetSecurityDescriptorDacl
GetSecurityDescriptorGroup
SetNamedSecurityInfoW
GetSecurityDescriptorControl
GetSecurityDescriptorOwner
OpenProcessToken
ConvertSidToStringSidW
ConvertStringSecurityDescriptorToSecurityDescriptorW
OpenThreadToken
GetTokenInformation
KERNEL32.dll UnmapViewOfFile
GetLastError
LocalFree
Sleep
GetStartupInfoW
SetUnhandledExceptionFilter
GetModuleHandleW
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
GetTickCount
UnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
GetVolumeInformationW
FindFirstFileW
HeapFree
SetLastError
FindNextFileW
WriteFile
GetPrivateProfileSectionW
FindClose
GetVolumePathNameW
CreateFileW
GetFileAttributesW
SetFileAttributesW
HeapAlloc
MoveFileExW
GetProcessHeap
CopyFileExW
GetFileInformationByHandle
GetFullPathNameW
FreeLibrary
LoadLibraryExW
GetProcAddress
FlushFileBuffers
MapViewOfFile
CreateFileMappingW
CloseHandle
GetCurrentThread
GetVolumeNameForVolumeMountPointW
DeviceIoControl
GetFileSizeEx
CreateDirectoryW
msvcrt.dll wcsstr
_snwscanf_s
_wcslwr
wcsnlen
__iob_func
_wcsnicmp
swprintf_s
memset
fflush
wcschr
wcsrchr
memcpy
?terminate@@YAXXZ
_commode
_fmode
_wcmdln
__C_specific_handler
_initterm
__setusermatherr
_cexit
_exit
exit
__set_app_type
__wgetmainargs
_amsg_exit
_XcptFilter
_wcsicmp
_vsnwprintf
fwprintf
_vsnwprintf_s
RPCRT4.dll UuidCreate
imagehlp.dll CheckSumMappedFile
SHELL32.dll CommandLineToArgvW
SHLWAPI.dll PathRemoveBackslashW
ntdll.dll NtEnumerateBootEntries
NtQueryDirectoryObject
NtOpenDirectoryObject
NtTranslateFilePath
NtQueryBootOptions
NtQueryBootEntryOrder
NtQueryValueKey
NtQuerySymbolicLinkObject
NtOpenKey
NtOpenSymbolicLinkObject
RtlImpersonateSelf
NtOpenThreadTokenEx
NtOpenProcessTokenEx
NtAdjustPrivilegesToken
RtlFreeHeap
RtlAllocateHeap
NtSetInformationFile
LdrAccessResource
LdrFindResource_U
NtOpenFile
NtQueryInformationThread
NtQueryInformationFile
RtlImageNtHeader
NtDeviceIoControlFile
NtSetInformationThread
NtReadFile
NtOpenProcess
NtQueryInformationProcess
RtlNtStatusToDosError
NtClose
RtlInitUnicodeString
NtWriteFile
NtQuerySystemInformation
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext

Delayed Imports

1

Type MUI
Language English - United States
Codepage UNKNOWN
Size 0xc8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.69061
MD5 76e72144b62d69d9d389742807a6828e
SHA1 9df9973862790de39dfb573f9e1e440355dacc04
SHA256 3b11864f5d55c18a71bdbb41a03511404251b7f1e024063ff56c31eec2f8176f
SHA3 9aa4611f03a92de617d79e3cc1eb9320a13e0cd1d7da62a0c1afabc37cac844f

1 (#2)

Type RT_VERSION
Language English - United States
Codepage UNKNOWN
Size 0x39c
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.47478
MD5 893b7c943b2a194b1b87896cb60b22dc
SHA1 47d4a5ac6176e8981e690142a62568469c30efc2
SHA256 9057073875aee479334dc526c225679427cb896381d1b51783e86c01f4a1e196
SHA3 346cd297d804e268aa8f2f0b09a686e9c9ed2fe246093527e25b567cfe778ace

1 (#3)

Type RT_MANIFEST
Language English - United States
Codepage UNKNOWN
Size 0x2ba
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.89983
MD5 f0879271ddaf85b13fd3ffbc67e5f24f
SHA1 553e904bb00cec087caca6a1cf144da4abaf76cb
SHA256 d4a6f4bc585aeaaec7cead9f8b35c76db10d489e757a9b69522bb670ae50eb6a
SHA3 c439121aa729fca9bac43b22677098865977d856fa76783b970ccaf9733c6db2

Version Info

Signature 0xfeef04bd
StructVersion 0x10000
FileVersion 10.0.18362.1
ProductVersion 10.0.18362.1
FileFlags (EMPTY)
FileOs VOS_DOS_WINDOWS32
VOS_NT
VOS_NT_WINDOWS32
VOS_WINCE
VOS__WINDOWS32
FileType VFT_APP
Language English - United States
CompanyName Microsoft Corporation
FileDescription Boot File Servicing Utility
FileVersion (#2) 10.0.18362.1 (WinBuild.160101.0800)
InternalName bfsvc.exe
LegalCopyright © Microsoft Corporation. All rights reserved.
OriginalFilename bfsvc.exe
ProductName Microsoft® Windows® Operating System
ProductVersion (#2) 10.0.18362.1
Resource LangID English - United States

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics 0
TimeDateStamp 1984-Oct-28 12:46:15
Version 0.0
SizeofData 34
AddressOfRawData 0x10a58
PointerToRawData 0xf058
Referenced File bfsvc.pdb

IMAGE_DEBUG_TYPE_POGO

Characteristics 0
TimeDateStamp 1984-Oct-28 12:46:15
Version 0.0
SizeofData 516
AddressOfRawData 0x10a7c
PointerToRawData 0xf07c

UNKNOWN

Characteristics 0
TimeDateStamp 1984-Oct-28 12:46:15
Version 0.0
SizeofData 36
AddressOfRawData 0x10c80
PointerToRawData 0xf280

TLS Callbacks

Load Configuration

Size 0x108
TimeDateStamp 1970-Jan-01 00:00:00
Version 0.0
GlobalFlagsClear (EMPTY)
GlobalFlagsSet (EMPTY)
CriticalSectionDefaultTimeout 0
DeCommitFreeBlockThreshold 0
DeCommitTotalFreeThreshold 0
LockPrefixTable 0
MaximumAllocationSize 0
VirtualMemoryThreshold 0
ProcessAffinityMask 0
ProcessHeapFlags (EMPTY)
CSDVersion 0
Reserved1 0
EditList 0
SecurityCookie 0x140013028
GuardCFCheckFunctionPointer 5368759664
GuardCFDispatchFunctionPointer 0
GuardCFFunctionTable 0
GuardCFFunctionCount 0
GuardFlags (EMPTY)
CodeIntegrity.Flags 0
CodeIntegrity.Catalog 0
CodeIntegrity.CatalogOffset 0
CodeIntegrity.Reserved 0
GuardAddressTakenIatEntryTable 0
GuardAddressTakenIatEntryCount 0
GuardLongJumpTargetTable 0
GuardLongJumpTargetCount 0

RICH Header

XOR Key 0x26770d17
Unmarked objects 0
C++ objects (26715) 2
ASM objects (26715) 3
C objects (26715) 19
Imports (26715) 19
Total imports 246
264 (26715) 35
Resource objects (26715) 1
Linker (26715) 1

Errors