9164d869-3953-40eb-91e4-26a837e3aacc
bootmgfw.efi
Description
This was provided by Microsoft and revoked May-23
This download link contains the Revoked Bootloader!
Commands
bcdedit /copy "{current}" /d "TheBoots" | {% if ($_ -match '{\S+}') { bcdedit /set $matches[0] path \windows\temp\bootmgfw.efi } }
Use Case | Privileges | Operating System |
---|---|---|
Persistence | 32-bit |
Detections
YARA 🏹
Expand
with header and size limitation
without header and size limitation
for renamed bootloader files
Resources
CVE
Known Vulnerable Samples
Property | Value |
---|---|
Filename | bootmgfw.efi |
MD5 | c6697cdbcf51cc54053438e644243327 |
SHA1 | 056c3b1ab4f9b248ffc5285f299a2653839357f2 |
SHA256 | 1eadf7bf5fde916884a4beb82dd68ba50be05413f00aae8571190a2eaa462640 |
Authentihash MD5 | e518520c0709c922714f016a9ec3d893 |
Authentihash SHA1 | 3ef1fcd520f386618b77de8759b40d169b042708 |
Authentihash SHA256 | 05729029ef940c5e6ee96b3b1253c08783c01329bce2e9951bc22a09223fc15c |
RichPEHeaderHash MD5 | c3a45277e34522772d2ffb9c618850dd |
RichPEHeaderHash SHA1 | ccaa1ad0944140bed3cf64cdaf8c9d2004c29074 |
RichPEHeaderHash SHA256 | 474fc92022c5254d909bd3560e682dc6a340333b34b82d63e8b9a575cf09b292 |
Company | Microsoft Corporation |
Description | Boot Manager |
Product | Microsoft® Windows® Operating System |
OriginalFilename | bootmgr.exe |
Certificates
Expand
Certificate 330000033c89c66a7b45bb1fbd00000000033c
Field | Value |
---|---|
ToBeSigned (TBS) MD5 | 46f57c3b860b08484cb79066ac1014ad |
ToBeSigned (TBS) SHA1 | c1fe3ab97b834a98460e4ae92fe2468d16f61a92 |
ToBeSigned (TBS) SHA256 | d78e6b22fec42de5200f6c56731dd6742c79fa2bf7c01c8dc04d3d5738474c9b |
Subject | C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows |
ValidFrom | 2021-09-02 18:23:41 |
ValidTo | 2022-09-01 18:23:41 |
Signature | 699045742c403812de1bdf9ea2be22132e82a7c006ab278e0c9f460bd435386348031a6b5cbdf450ae5a243331dcb2cc7eace8371cf71ec35a6f663147bd211ea357614e6a611eeacca6486a778d4cd788106ade12d6625574e7a89ecab4eb0bb99295c498dd5f565680a2d26bf2545e727c4204023c48d8021b608fd901c6fefd16ce0c3a669fb0ce758dc671f2cdd7434c163f9de9453e5523d94a78205c828a4615e50330d9f52a8a77f7683d2b61ff1324382d40d31001c518b56b286fbb8c754f6940590c2071385ed0a9387b529c06bf71fff89c74634550fc331b389d558696ace05787144e5af53d20a75a84981bf8380ddac3743f407d8ff27c089e |
SignatureAlgorithmOID | 1.2.840.113549.1.1.11 |
IsCertificateAuthority | False |
SerialNumber | 330000033c89c66a7b45bb1fbd00000000033c |
Version | 3 |
Certificate 61077656000000000008
Field | Value |
---|---|
ToBeSigned (TBS) MD5 | 30a3f0b64324ed7f465e7fc618cb69e7 |
ToBeSigned (TBS) SHA1 | 002de3561519b662c5e3f5faba1b92c403fb7c41 |
ToBeSigned (TBS) SHA256 | 4e80be107c860de896384b3eff50504dc2d76ac7151df3102a4450637a032146 |
Subject | C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Production PCA 2011 |
ValidFrom | 2011-10-19 18:41:42 |
ValidTo | 2026-10-19 18:51:42 |
Signature | 14fc7c7151a579c26eb2ef393ebc3c520f6e2b3f101373fea868d048a6344d8a960526ee3146906179d6ff382e456bf4c0e528b8da1d8f8adb09d71ac74c0a36666a8cec1bd70490a81817a49bb9e240323676c4c15ac6bfe404c0ea16d3acc368ef62acdd546c503058a6eb7cfe94a74e8ef4ec7c867357c2522173345af3a38a56c804da0709edf88be3cef47e8eaef0f60b8a08fb3fc91d727f53b8ebbe63e0e33d3165b081e5f2accd16a49f3da8b19bc242d090845f541dff89eaba1d47906fb0734e419f409f5fe5a12ab21191738a2128f0cede73395f3eab5c60ecdf0310a8d309e9f4f69685b67f51886647198da2b0123d812a680577bb914c627bb6c107c7ba7a8734030e4b627a99e9cafcce4a37c92da4577c1cfe3ddcb80f5afad6c4b30285023aeab3d96ee4692137de81d1f675190567d393575e291b39c8ee2de1cde445735bd0d2ce7aab1619824658d05e9d81b367af6c35f2bce53f24e235a20a7506f6185699d4782cd1051bebd088019daa10f105dfba7e2c63b7069b2321c4f9786ce2581706362b911203cca4d9f22dbaf9949d40ed1845f1ce8a5c6b3eab03d370182a0a6ae05f47d1d5630a32f2afd7361f2a705ae5425908714b57ba7e8381f0213cf41cc1c5b990930e88459386e9b12099be98cbc595a45d62d6a0630820bd7510777d3df345b99f979fcb57806f33a904cf77a4621c597e |
SignatureAlgorithmOID | 1.2.840.113549.1.1.11 |
IsCertificateAuthority | True |
SerialNumber | 61077656000000000008 |
Version | 3 |
Imports
Expand
Imports
Expand
ImportedFunctions
Expand
ExportedFunctions
Expand
Signature
Expand
{
"Certificates": [
{
"IsCertificateAuthority": false,
"SerialNumber": "330000033c89c66a7b45bb1fbd00000000033c",
"Signature": "699045742c403812de1bdf9ea2be22132e82a7c006ab278e0c9f460bd435386348031a6b5cbdf450ae5a243331dcb2cc7eace8371cf71ec35a6f663147bd211ea357614e6a611eeacca6486a778d4cd788106ade12d6625574e7a89ecab4eb0bb99295c498dd5f565680a2d26bf2545e727c4204023c48d8021b608fd901c6fefd16ce0c3a669fb0ce758dc671f2cdd7434c163f9de9453e5523d94a78205c828a4615e50330d9f52a8a77f7683d2b61ff1324382d40d31001c518b56b286fbb8c754f6940590c2071385ed0a9387b529c06bf71fff89c74634550fc331b389d558696ace05787144e5af53d20a75a84981bf8380ddac3743f407d8ff27c089e",
"SignatureAlgorithmOID": "1.2.840.113549.1.1.11",
"Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows",
"TBS": {
"MD5": "46f57c3b860b08484cb79066ac1014ad",
"SHA1": "c1fe3ab97b834a98460e4ae92fe2468d16f61a92",
"SHA256": "d78e6b22fec42de5200f6c56731dd6742c79fa2bf7c01c8dc04d3d5738474c9b"
},
"ValidFrom": "2021-09-02 18:23:41",
"ValidTo": "2022-09-01 18:23:41",
"Version": 3
},
{
"IsCertificateAuthority": true,
"SerialNumber": "61077656000000000008",
"Signature": "14fc7c7151a579c26eb2ef393ebc3c520f6e2b3f101373fea868d048a6344d8a960526ee3146906179d6ff382e456bf4c0e528b8da1d8f8adb09d71ac74c0a36666a8cec1bd70490a81817a49bb9e240323676c4c15ac6bfe404c0ea16d3acc368ef62acdd546c503058a6eb7cfe94a74e8ef4ec7c867357c2522173345af3a38a56c804da0709edf88be3cef47e8eaef0f60b8a08fb3fc91d727f53b8ebbe63e0e33d3165b081e5f2accd16a49f3da8b19bc242d090845f541dff89eaba1d47906fb0734e419f409f5fe5a12ab21191738a2128f0cede73395f3eab5c60ecdf0310a8d309e9f4f69685b67f51886647198da2b0123d812a680577bb914c627bb6c107c7ba7a8734030e4b627a99e9cafcce4a37c92da4577c1cfe3ddcb80f5afad6c4b30285023aeab3d96ee4692137de81d1f675190567d393575e291b39c8ee2de1cde445735bd0d2ce7aab1619824658d05e9d81b367af6c35f2bce53f24e235a20a7506f6185699d4782cd1051bebd088019daa10f105dfba7e2c63b7069b2321c4f9786ce2581706362b911203cca4d9f22dbaf9949d40ed1845f1ce8a5c6b3eab03d370182a0a6ae05f47d1d5630a32f2afd7361f2a705ae5425908714b57ba7e8381f0213cf41cc1c5b990930e88459386e9b12099be98cbc595a45d62d6a0630820bd7510777d3df345b99f979fcb57806f33a904cf77a4621c597e",
"SignatureAlgorithmOID": "1.2.840.113549.1.1.11",
"Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Production PCA 2011",
"TBS": {
"MD5": "30a3f0b64324ed7f465e7fc618cb69e7",
"SHA1": "002de3561519b662c5e3f5faba1b92c403fb7c41",
"SHA256": "4e80be107c860de896384b3eff50504dc2d76ac7151df3102a4450637a032146"
},
"ValidFrom": "2011-10-19 18:41:42",
"ValidTo": "2026-10-19 18:51:42",
"Version": 3
}
],
"CertificatesInfo": "",
"Signer": [
{
"Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Production PCA 2011",
"SerialNumber": "330000033c89c66a7b45bb1fbd00000000033c",
"Version": 1
}
],
"SignerInfo": ""
}
last_updated: 2023-08-31