Analysis
| Category | Package | Started | Completed | Duration | Options | Log(s) |
|---|---|---|---|---|---|---|
| FILE | exe | 2025-06-12 16:56:46 | 2025-06-12 17:27:31 | 1845 seconds | Show Options | Show Analysis Log |
nohuman=yes
procmemdump=1
import_reconstruction=1
unpacker=2
norefer=1
no-iat=1
2024-11-25 13:37:15,115 [root] INFO: Date set to: 20250611T17:31:46, timeout set to: 1800 2025-06-11 18:31:46,414 [root] DEBUG: Starting analyzer from: C:\tmp_gell1p8 2025-06-11 18:31:46,414 [root] DEBUG: Storing results at: C:\XgITVWXU 2025-06-11 18:31:46,414 [root] DEBUG: Pipe server name: \\.\PIPE\QkIhwKCq 2025-06-11 18:31:46,414 [root] DEBUG: Python path: C:\Users\Packager\AppData\Local\Programs\Python\Python310-32 2025-06-11 18:31:46,414 [root] INFO: analysis running as an admin 2025-06-11 18:31:46,430 [root] INFO: analysis package specified: "exe" 2025-06-11 18:31:46,430 [root] DEBUG: importing analysis package module: "modules.packages.exe"... 2025-06-11 18:31:47,258 [root] DEBUG: imported analysis package "exe" 2025-06-11 18:31:47,258 [root] DEBUG: initializing analysis package "exe"... 2025-06-11 18:31:47,258 [lib.common.common] INFO: wrapping 2025-06-11 18:31:47,258 [lib.core.compound] INFO: C:\Users\Packager\AppData\Local\Temp already exists, skipping creation 2025-06-11 18:31:47,258 [root] DEBUG: New location of moved file: C:\Users\Packager\AppData\Local\Temp\bcdboot.exe 2025-06-11 18:31:47,258 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option 2025-06-11 18:31:47,258 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option 2025-06-11 18:31:47,258 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option 2025-06-11 18:31:47,258 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option 2025-06-11 18:31:47,508 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser" 2025-06-11 18:31:47,524 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig" 2025-06-11 18:31:47,555 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise" 2025-06-11 18:31:47,571 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human" 2025-06-11 18:31:47,586 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops' 2025-06-11 18:31:47,586 [lib.api.screenshot] ERROR: No module named 'PIL' 2025-06-11 18:31:47,586 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots" 2025-06-11 18:31:47,586 [root] DEBUG: Imported auxiliary module "modules.auxiliary.tlsdump" 2025-06-11 18:31:47,586 [root] DEBUG: Initialized auxiliary module "Browser" 2025-06-11 18:31:47,586 [root] DEBUG: attempting to configure 'Browser' from data 2025-06-11 18:31:47,586 [root] DEBUG: module Browser does not support data configuration, ignoring 2025-06-11 18:31:47,586 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.browser"... 2025-06-11 18:31:47,586 [root] DEBUG: Started auxiliary module modules.auxiliary.browser 2025-06-11 18:31:47,602 [root] DEBUG: Initialized auxiliary module "DigiSig" 2025-06-11 18:31:47,602 [root] DEBUG: attempting to configure 'DigiSig' from data 2025-06-11 18:31:47,602 [root] DEBUG: module DigiSig does not support data configuration, ignoring 2025-06-11 18:31:47,602 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.digisig"... 2025-06-11 18:31:47,602 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature 2025-06-11 18:31:47,727 [modules.auxiliary.digisig] DEBUG: File is not signed 2025-06-11 18:31:47,727 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json 2025-06-11 18:31:47,727 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig 2025-06-11 18:31:47,727 [root] DEBUG: Initialized auxiliary module "Disguise" 2025-06-11 18:31:47,727 [root] DEBUG: attempting to configure 'Disguise' from data 2025-06-11 18:31:47,727 [root] DEBUG: module Disguise does not support data configuration, ignoring 2025-06-11 18:31:47,727 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.disguise"... 2025-06-11 18:31:47,727 [modules.auxiliary.disguise] INFO: Disguising GUID to a12a810f-7248-49cb-b29e-38f635d4389d 2025-06-11 18:31:47,727 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise 2025-06-11 18:31:47,727 [root] DEBUG: Initialized auxiliary module "Human" 2025-06-11 18:31:47,727 [root] DEBUG: attempting to configure 'Human' from data 2025-06-11 18:31:47,727 [root] DEBUG: module Human does not support data configuration, ignoring 2025-06-11 18:31:47,727 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.human"... 2025-06-11 18:31:47,742 [root] DEBUG: Started auxiliary module modules.auxiliary.human 2025-06-11 18:31:47,742 [root] DEBUG: Initialized auxiliary module "Screenshots" 2025-06-11 18:31:47,742 [root] DEBUG: attempting to configure 'Screenshots' from data 2025-06-11 18:31:47,742 [root] DEBUG: module Screenshots does not support data configuration, ignoring 2025-06-11 18:31:47,742 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.screenshots"... 2025-06-11 18:31:47,742 [modules.auxiliary.screenshots] WARNING: Python Image Library is not installed, screenshots are disabled 2025-06-11 18:31:47,742 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots 2025-06-11 18:31:47,742 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets" 2025-06-11 18:31:47,742 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data 2025-06-11 18:31:47,742 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring 2025-06-11 18:31:47,742 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.tlsdump"... 2025-06-11 18:31:47,742 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 696 2025-06-11 18:31:47,758 [lib.api.process] INFO: Monitor config for <Process 696 lsass.exe>: C:\tmp_gell1p8\dll\696.ini 2025-06-11 18:31:47,758 [lib.api.process] INFO: Option 'procmemdump' with value '1' sent to monitor 2025-06-11 18:31:47,758 [lib.api.process] INFO: Option 'import_reconstruction' with value '1' sent to monitor 2025-06-11 18:31:47,758 [lib.api.process] INFO: Option 'unpacker' with value '2' sent to monitor 2025-06-11 18:31:47,758 [lib.api.process] INFO: Option 'norefer' with value '1' sent to monitor 2025-06-11 18:31:47,758 [lib.api.process] INFO: Option 'no-iat' with value '1' sent to monitor 2025-06-11 18:31:47,758 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor 2025-06-11 18:31:47,758 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmp_gell1p8\dll\nJyNmW.dll, loader C:\tmp_gell1p8\bin\pgBxLdyq.exe 2025-06-11 18:31:47,836 [root] DEBUG: Loader: IAT patching disabled. 2025-06-11 18:31:47,836 [root] DEBUG: Loader: Injecting process 696 with C:\tmp_gell1p8\dll\nJyNmW.dll. 2025-06-11 18:31:47,868 [root] DEBUG: 696: Python path set to 'C:\Users\Packager\AppData\Local\Programs\Python\Python310-32'. 2025-06-11 18:31:47,868 [root] INFO: Disabling sleep skipping. 2025-06-11 18:31:47,868 [root] DEBUG: 696: Full process memory dumps enabled. 2025-06-11 18:31:47,868 [root] DEBUG: 696: Import reconstruction of process dumps enabled. 2025-06-11 18:31:47,868 [root] DEBUG: 696: Active unpacking of payloads enabled 2025-06-11 18:31:47,868 [root] DEBUG: 696: CAPE debug - unrecognised key norefer. 2025-06-11 18:31:47,868 [root] DEBUG: 696: TLS secret dump mode enabled. 2025-06-11 18:31:47,883 [root] DEBUG: 696: InternalYaraScan: Scanning 0x00007FF84A790000, size 0x1f4542 2025-06-11 18:31:47,883 [root] DEBUG: 696: InternalYaraScan hit: RtlInsertInvertedFunctionTable 2025-06-11 18:31:47,883 [root] DEBUG: 696: RtlInsertInvertedFunctionTable 0x00007FF84A7A090E, LdrpInvertedFunctionTableSRWLock 0x00007FF84A8FB4F0 2025-06-11 18:31:47,883 [root] DEBUG: 696: Monitor initialised: 64-bit capemon loaded in process 696 at 0x00007FF824830000, thread 6136, image base 0x00007FF60D500000, stack from 0x0000008EFACF4000-0x0000008EFAD00000 2025-06-11 18:31:47,883 [root] DEBUG: 696: Commandline: C:\Windows\system32\lsass.exe 2025-06-11 18:31:47,899 [root] DEBUG: 696: Hooked 5 out of 5 functions 2025-06-11 18:31:47,899 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread. 2025-06-11 18:31:47,899 [root] DEBUG: Successfully injected DLL C:\tmp_gell1p8\dll\nJyNmW.dll. 2025-06-11 18:31:47,899 [lib.api.process] INFO: Injected into 64-bit <Process 696 lsass.exe> 2025-06-11 18:31:47,899 [root] DEB <truncated>
Machine
| Name | Label | Manager | Started On | Shutdown On | Route |
|---|---|---|---|---|---|
| win10-2 | win10-2 | KVM | 2025-06-12 16:56:46 | 2025-06-12 17:27:10 | none |
File Details
| File Name |
bcdboot.exe
|
|---|---|
| File Type | PE32+ executable (console) x86-64, for MS Windows |
| File Size | 241664 bytes |
| MD5 | 3dc1655867ceac5f2e9e6a419674fe40 |
| SHA1 | a869470088234a5cf4a6b604642d152bb45def18 |
| SHA256 | 2b7a6693be12f9df7a56f5467911927438ebc0c06f979195536c942cbe6c2cce [VT] [MWDB] [Bazaar] |
| SHA3-384 | 90b0316dc933443133996ca1f4f8c5cda5874fa2404b7429771728d46873ca13a695dd51783719da18d9311243e3fb7d |
| CRC32 | D510E3FD |
| TLSH | T17234C30A23FA1984E9B39A38AA724411997378716B31C6DF1394C07D5F27B94FE38F52 |
| Ssdeep | 3072:R2b1dvKjeQD1cHF6nqYCDiDsDyKEWZcNMV3en+4KaCx1Wz:e1dvQb1cHFwCDR3EWZcMnnW |
| PE | File Strings BinGraph Vba2Graph VirusTotal |
fD9$Xu
fD9$Fu
l$ VWATAVAWH
;EPu!H
pA^_^[]
BfsRepair: Failed to unload system store. Status: %08x
@.data
D$hE3
u@tXL
en-SG
SVWATAVAWH
NtOpenProcessTokenEx
H!}HL
SetThreadpoolThreadMaximum
Loaded hive at BCD%08d
de-DE
BcdCopyObjectEx: Failed to get object identifier. Flags: 0x%x Status: %x
ZwSetValueKey
en-TT
\Logs\bfsvc\repair.log
Failed to get a handle to the memtest object. Status = [%x]
System BCD store does not exist, creating.
zh-HK
BcdFlushStore: Failed to acquire BCD sync mutant. Status: %x
ne-NP
bs-Latn
u*9Q<|%
|SYSPART|\|BOOTMGR|
SeDebugPrivilege
ta-LK
sma-NO
Process Name [%d]: %ws
af-ZA
BcdCopyObjectEx: Failed to set firmware object. Target: %ws Flags: 0x%x Status: %x
|SYSPART|\|EFIDEFAULT|\|DEFAULTAPP|
mn-MN
RtlImpersonateSelf
DEFAULTAPP
ff-Latn
CopyFileExW
mn-Mong
GetSecurityDescriptorControl
L$HE3
System partition: %s
</security>
ZwTranslateFilePath
SYSROOT
0A_A^A]A\_^[
ku-Arab-IQ
VWAVH
_wcslwr
X_^[]
BiBindEfiBootManager failed %x
1C0eH
L9t$8t eH
sl-SI
tq9t$`t
Microsoft Corporation
\\.\PhysicalDrive%d
LoadLibraryExW
memcmp
DismOpenSession
!\$`3
_XcptFilter
D9t$|t
fE9t}
Removing duplicate object %wZ
T$HE3
4$L9l$`t eH
`A^_^][
ZwDeleteValueKey
H9t$Pt
USVWATAUAVAWH
ta-IN
NewStoreRoot
BfspPrintFileOwnerProcess: NtQueryInformationFilefailed! Status = %#x
\EFI\Microsoft\Recovery\BCD
@SUVWAVH
UnmapViewOfFile
;}XsmM
D$0=#
VolumePathName for %ws is %ws
_initterm
tt-RU
fD9,Bu
kr-NG
ZwDeleteBootEntry
.idata$5
BfspPrintFileOwnerProcess: Failed to open file!Last Error = %#x
LoadLibraryW
False
RtlAppendUnicodeToString
Failed to GetVolumePathName for %ws (%u).
<description>BCD System Store Initializer</description>
sms-FI
Failure when initializing library system volume.
Copying resource files from %s to %s...
ZwFlushKey
detect
LdrGetProcedureAddress
es-AR
.pdata
NtQuerySystemInformation
wcschr
de-AT
Memory Tester application not found. Skipping add.
Microsoft
fil-PH
RtlAllocateAndInitializeSid
bootia32.efi
gn-PY
ar-TN
Generating object GUID.
ServicingErrorCode
offline
zu-ZA
sd-Arab-PK
DeleteFileEx: hardlink given to us is: %s
en-029
Failed to query OS loader identifier. Status = [%x]
syr-SY
8A_A^A]A\_^][
sk-SK
Deleting element %08x
ServiceSpaces: Skipping non-Windows %s
fD94Bu
v3fD9l$Ru
ZwOpenKey
_exit
ky-KG
Locate node has parent - moving to parent
Failed to convert data for element %s. Status: %x
fD9,Zu
0A^_^
H9u`t
MoveFileExW
<GfA9
bs-Cyrl
memtest.efi
H9T$H
DismDelete
each entry is scanned. If the corresponding device for that entry
fD9d}
Failed to set element application path. Status = [%x]
Failed to set registry data for element %s. Status: %x
Failed to flush system partition. Error = [%x]
H!D$0H
Exporting alterations to firmware.
da-DK
bs-BA-Latn
0A_A^A\_^
The system store is not already loaded
Error creating %s path! Last Error = %#x
\boot\
Failed to enumerate boot entries. Status: %x
Creating Recovery directory.
Failed to reduce winre entries in recovery store. Status = [%x]
.\%s.mui
p WAVAWH
Failed to set boot options. Status: %x
fD9$Ou
pa-Arab
fD9dH
No process found using %s file.
Failed to create recovery store. Status = [%x]
Found %d processes using this file.
_wsetlocale
pA^A]A\_^[]
Store path: "%s"
xX8Mhu#H
sr-Latn-ME
GetLogicalDrives
GetFileAttributesW
|SOURCE|\|RESOURCES|\BOOTRES.DLL
ne-IN
Failed to allocate process ID buffer.
Failed to get handle to the system store. Status = [%x]
FVEAPI.DLL
.CRT$XIA
ServicingBootFiles failed. Error = %#x
RtlNtStatusToDosError
BootDebuggerFiles.UEFI
/addlast Specifies that the windows boot manager firmware entry
|$(E3
GetPrivateProfileSectionW
es-PA
sa-IN
x UAVAWH
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
RtlImageNtHeader
XA_A^A]A\_^][
Failed to open a handle to the object element. Status = [%x]
FileDescription
SetFileAttributes(%s) failed! Last Error = %#x.
\$ UVWH
bootmgr.exe
Expected provided path "%ws" to start with %ws
D$tE3
!D$HE3
Failed to set default bootmgr object. Status = [%x]
dz-BT
PA_A^A]A\_[]
\$ VWAVH
Failed to cleanup recovery store. Status = [%x]
UWATAVAWH
BiUpdateEfiEntry failed %x
;}PsmM
Cleaning up debugger settings.
ntdll.dll
Failed to set {bootmgr} locale. Status = [%x]
UVWAUAWH
10.0.17763.1
DeviceIoControl
zh-CHT
GetSecurityDescriptorOwner failed! Error code = %#x
A_A^A\_^
A]A\_^[
L$hE3
bootx64.efi
AdjustTokenPrivileges
sr-SP-Cyrl
GetFileVersionInfoSizeW
BcdGetElementDataWithFlags: Failed to open elements key.Object: %ws Status: %x
%ws.{%.8x-%.4x-%.4x-%.2x%.2x-%.2x%.2x%.2x%.2x%.2x%.2x}
D$(E3
FirmwareBootDevice
bootable entry. Otherwise, only global objects are merged.
fD9<Hu
File is not system store. File: %ws Status: %x
fE9dV
fA9<Hu
BfspPrintFileOwnerProcess: NtQueryInformationProcessfailed! Status = %#x
xh-ZA
Bcdboot utility
it-CH
0A_A^_^]
ConvertSidToStringSidW
RtlLengthSecurityDescriptor
ar-DZ
BfspSuspendBitLocker FAILED Error code = %#x
es-HN
SetThreadUILanguage
RtlCreateSecurityDescriptor
en-GB
ml-IN
fi-FI
.rdata$zETW9
ZwUnloadKey
DeleteFileEx: Unable to delete [%s]; GLE = 0x%x
Failed to delete duplicate winloads. Status = [%x]
UVWAVAWH
L$0E3
u,L9A
ChkDisk: Failed %08x
|SYSPART|\|DEST|\BCD.LOG
ka-GE
ts-ZA
Failed to add new store from file. File: %ws Status: %x
LdrGetDllHandle
A_A^A\_]
Failed to service spaces bootmgr. Last Error = %#x
Failed to add boot entry. Status: %x
Error deleting boottgt(%s)! Last Error = %#x
Error copying %s to %s. Last Error = %#x
|SYSROOT|
TerminateProcess
Failed to get element application path. Status = [%x]
ZwReleaseMutant
Using source OS version %I64x
f9,Au
Unable to create tempory root key. Status: %x
\Device\%s\Partition%lu
multi(%d)disk(%d)rdisk(%d)
Found Volume Name of %ws
en-BZ
h VWATAVAWH
NtQueryBootEntryOrder
Created new boot entry 0x%x
BiExportStoreToEfi failed %x
ar-AE
bootarm.efi
tg-Cyrl-TJ
Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}
fr-MA
ZwUnloadKey2
Resource files missing from %s. These files are required for some editions of Windows. If you are servicing older versions of Windows, you can ignore this message.
D$ =4
quc-Latn-GT
Returning from device validation
ko-KR
NtSetInformationThread
!\$lE3
D$FE3
.text$x
wo-SN
T$ E3
t#v!A
.\%s\%s.mui
No processes are using this file.
SetFileAttributesW
Failed to get bootmgr element. Status = [%x]
Setting {default} to %wZ
Removing duplicate entries.
NtQueryBootOptions
wcstoul
Exporting store to efi
bcdboot c:\windows /p
Opening recovery store from %ws
%s\%s\%s.mui
t$ UWATAUAVH
L$HH3
NtAdjustPrivilegesToken
ar-YE
A^_^
GetModuleHandleW
Attempt to mount volume %ws failed Error %u
L9t$ t eH
Error deleting boot manager(%s)! Last Error = %#x
wcsnlen
sd-Arab
DISMAPI.DLL
D$((Y-
Failed to export unload alterations to firmware. Status: %x
fr-SN
bs-Latn-BA
fD9|E
SymbolicLink
8Mhu)H
Failed to query object data. Status = [%x]
!D$TI
DeleteFileEx: Unable to allocate memory for the full path name; GLE = 0x%x
ru-RU
BiBindEfiEntries failed %x
ig-NG
@USVWATAUH
Failed to create system store path. Status: %x
0A_A^_
FirmwareVariable
pa-IN
OriginalFilename
Failed detect Hyper-V setting. Status = [%x]
Locate Node does not have parent
IT$Df
en-us
en-JM
SetNamedSecurityInfo failed! Error code = %#x
Failed to open handle to resume object. Status = [%x]
pt-PT
BcdGetElementDataWithFlags: Failed to get registry value.Object: %ws Reg type: %lu Status: %x
fE9<\u
Failed to copy NTLDR object data. Status = [%x]
es-DO
chr-Cher
az-Cyrl
|$8H;
ChkDskRun
\EFI\Microsoft\Boot\BCD
A;6w6I
GetFullPathNameW
GetFileType
es-ES_tradnl
UVWATAUAVAWH
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
Failed to enumerate BCD objects. Status = [%x]
zh-Hant
CloseHandle
Failed to get registry value. Status: %x
@.reloc
QueryDosDeviceW
tzm-Latn-DZ
ZwEnumerateBootEntries
fwprintf
bcdboot c:\windows /d /addlast
0A_A^A]_^
HA_A^A]A\_^[]
Failed to reduce duplicate resume and recovery objects. Status = [%x]
Failed to get partition name. Status = %#x
LoadResource
Failed to adjust token priveleges! Error code = %#x
name="Microsoft.Windows.OSLoader.BcdBoot"
L!l$8
la-001
GetSystemTimeAsFileTime
ar-LB
H!\$(H
h_^][
Failed to open a handle to the bootmgr object. Status = [%x]
Failed to open object's key. Status: %x
d$Du&
\ArcName\
Closing store. Flags: 0x%x
yo-NG
iu-Cans-CA
ZwQuerySystemInformation
ZwQuerySymbolicLinkObject
SetUnhandledExceptionFilter
|SOURCE|\|RESOURCES|
ZwOpenMutant
Failed to filter delete element %08x. Status: %x
pap-029
ZwQueryInformationProcess
Failed to create a new recovery store. Status = [%x]
D$ E3
RtlFreeHeap
.text
|SYSPART|\EFI\Microsoft\Recovery
tFfA;
.rdata$brc
D;l$X
Error setting attributes on %s. Last Error = %#x
fo-FO
Exporting store alterations to efi
pt-BR
D;uPsI
L$`E3
D$4;E
bo-CN
id-ID
Moving to File/Ramdisk node with path %ws
D9d$p
DismInitialize
DismCloseSession
LocalAlloc
T$h!|$`H
.idata$4
Failed to service spaces default bootmgr
yi-001
BiCreateEfiEntry failed %x
mk-MK
@8=#-
GetTokenInformation
SeTakeOwnershipPrivilege
se-FI
`A_A^A]A\_^[
sr-Latn-RS
SBCDOBJECT=
fclose
H!t$
Servicing debugger files
ZwAddBootEntry
RtlInitAnsiString
Failed to open store from path. File: %ws Status: %x
RESOURCES
Failed to create create {bootmgr} object. Status = [%x]
/m If an OS loader GUID is provided, this option merges the
BcdGetElementDataWithFlags: Failed to open key.Object: %ws Type: %ws Status: %x
Error copying font files from %s to %s.Last Error = %#x
L9ewt
FveAddAuthMethodInformation
Error uncompressing boot status data log(%s)! Last Error = %#x
__C_specific_handler
bootaa64.efi
ZwSetBootEntryOrder
ZwQueryAttributesFile
|SYSPART|\
BfspSuspendBitLocker SUCCEEDED (Enabled:%c Suspended:%c)
BcdErrorCode
!t$dE
ChkdskEx
Failed to copy memtest object. Status = [%x]
en-IE
/c Specifies that any existing objects described by the template
%s\%s
co-FR
A]A\_^[]
|$ AVH
.text$mn$00
t$ WH
position should be preserved. If entry does not exist,
SetLastError
f9D^ u
L$RfD9lDNu
.rsrc$01
sNHcK<
GetFileAttributes(%s) failed: File not found.
ar-OM
Failed to get a handle to the system store. Status = [%x]
BfsInitializeBcdStore flags(0x%08x) RetainElementData:%c DelExistinObject:%c
ZwQueryInformationFile
Failed to QueryDosDevice for %ws (%u).
A_A^A]A\_^[]
moh-CA
en-ZW
sr-Latn-CS
fD9$_u
A_A^A]
Exporting forcible unload to firmware
BfsRepair: Failed to get system partition size %08x
az-Latn-AZ
ZwSetBootOptions
f9,xu
Failed to find volume name for device %ws
GetSecurityDescriptorDacl
Failed to set element system root. Status = [%x]
|SOURCE|\Misc\|FWTYPE|\bootspaces.dll
my-MM
chr-Cher-US
L9t$@t eH
BfsRepair: BCD failed validation check after file system repair.
|DEST|\|BOOTMGR|
FindFirstVolumeW
Microsoft-Hyper-V-Hypervisor
en-ZA
Fonts
D$(!|$ E3
sr-SP-Latn
L$ SVWH
am-ET
BcdInitialized
Microsoft Corporation. All rights reserved.
sq-AL
L$PH3
H9L$`
gsw-FR
eu-ES
ZwLoadKey
Creating MemTest object.
|SYSPART|\|DEST|\|BOOTMGR|
CreateDirectoryW
ZwQueryBootEntryOrder
fr-HT
O:%sG:%sD:P(A;CI;GA;;;%s)(A;;0x1201bf;;;SY)(A;IOCIOI;GA;;;SY)(A;;0x1201bf;;;BA)(A;IOCIOI;GA;;;BA)(A;CIOI;GRGX;;;BU)(A;OICIIO;GA;;;CO)
ar-SA
Failed to acquire permissions to load hive. Status: %x
multi(%d)disk(%d)rdisk(%d)partition(%d)
LcA<E3
!\$\3
should be preserved.
fr-BE
RtlGUIDFromString
%-10ws%ws
H WATAUAVAWH
@.rsrc
Failed to delete boot entry 0x%x. Status: %x
MoD91s
FveCloseVolume
BCD: %ws
XA_A^A\_^[
`A_A^A]A\_^]
Creating object. Version: %d. Type: 0x%08x
|SYSPART|\|DEST|\|FONTS|
fD9<Qu
LegalCopyright
nl-BE
fr-MC
Specified flags prevent opening unloaded system store
%s%s%s%s
arn-CL
version.dll
is-IS
@A_A^A]A\_^]
dsb-DE
L$0H3
sw-KE
fD9<Bu
Failed to get handle to BCD object. Status = [%x]
.rdata$zzzdbg
f94Au
WARNING
BiBindEfiNamespaceObjects failed %x
WAVAWH
fr-LU
.rdata
Failed to open key for element %s. Status: %x
SetThreadpoolThreadMinimum
Failed to get object identifier. Status: %x
ur-PK
Error deleting stale spaces dll (%s)! Last Error = %#x
Servicing spaces files
FMIFS.DLL
ar-SY
Failed to copy objects of type %08x data. Status = [%x]
ti-ER
wcsstr
ba-RU
fF9<Bu
NtOpenThreadTokenEx
<assemblyIdentity
fE94ou
BfspCopyFile(%s, %s) failed! (Attempt %d of %d) Last Error = %#x
fD9,Au
L$@L!l$0L
@SVWATAUH
Directory
ZwOpenProcess
GetConsoleOutputCP
RtlInitUnicodeString
G|$L3
KeyName
BcdCopyObjectEx: Failed to enumerate source elements. Target: %ws Flags: 0x%x Status: %x
en-ID
L$ UVWATAUAVAWH
OpenProcessToken
|SOURCE|\BootDebuggerFiles.ini
Finding volume name for device %ws
@A_A^]
I!8E3
RSDS3
PA_A^A\_^[]
BfspSetSecurityDescriptor(%s) failed! Last Error = %#x
Failed to get element device type. Status = [%x]
9T$@tFM
SVWATAUAVAWH
RtlAddAccessAllowedAceEx
BfsRepair: System volume too large for chkdsk. Size: %llu MB Max: %llu MB
FindResourceExW
NtReadFile
t$8E3
fr-FR
SetNamedSecurityInfoW
memcpy
0A_A]A\_]
.idata$3
XA_A^A]A\_^[]
SetVolumeMountPointW
BCD%08d
Synchronizing store with firmware
S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464
ServiceDebuggerFiles: Failed to allocate config buffer
mn-Mong-MN
\$8H;
!|$8H
Failed to set element description. Status = [%x]
WdsCopyFileEx: Failed to strip file attributes for %s, will delete. GLE = 0x%x
ISPCAT
fflush
az-Cyrl-AZ
BcdCloseStore: Failed to acquire BCD sync mutant. Status: %x
CreateFileMapping(%s) failed! Error code = %#x
xA_A^A\_^[
Failed to remove duplicate object from bootmgr display order. Status = [%x]
RtlSetOwnerSecurityDescriptor
@A_A^A]_^[]
SearchPathW
f9,Fu
(_^][
__setusermatherr
UATAUAVAWH
Printing processes using %s file.
HeapFree
es-CR
ff-Latn-SN
SeRestorePrivilege
Failed to initialize objects key for store. Store: %s StoreKey: %ws Status: %x
GetTickCount
\Partition0
\??\PhysicalDrive%lu
Objects
\$<E9
.CRT$XIY
GetVolumeInformationW
L$@H3
USWATAUAVAWH
Copying objects. Version: %d. Type: 0x%08x
!t$hE3
'BIOS', or 'ALL'.
Failed to flush BCD to disk. Status = [%x]
/>
Failed open key %ws. Status: %x
iu-Latn
TreatAsSystem
BcdOpenSystemStore: Failed to acquire BCD sync mutant.Status: %x
UWAVH
BfsvcSyspartRepair
zh-MO
es-CL
GetSecurityDescriptorSacl
|SYSPART|\|DEST|\|RESOURCES|
FveGetAuthMethodInformation
Cleaning up orphaned ramdisk options.
EventSetInformation
MapViewOfFile(%s) failed! Error code = %#x
L!l$0
Failed to Enumerate elements from %ws. Status: %x
DeleteFileEx: Unable to get full path name on [%s]; GLE = 0x%x
uz-Latn-UZ
hr-HR
UWAUAVAWH
fE9$Fu
O:%sG:%sD:P(A;;FA;;;%s)(A;;GRGX;;;BA)(A;;GRGX;;;SY)(A;;GRGX;;;BU)S:(AU;FASA;0x000D0116;;;WD)
Opening system store. Flags: 0x%x
|$0L9t$@t
xofD9?v
qps-ploc
Store %s is the system store
D$49E
FveKeyManagement
Failed to close recovery store. Status = [%x]
advapi32
ha-Latn-NG
en-CA
tn-ZA
Moving to Partition node with path %ws
Failed to mark store as system store. Status = [%x]
|SYSPART|\|DEST|\BOOTSTAT.DAT
Failed to close the system store. Status = [%x]
should not be migrated.
Validating Device for %ws with identifier %ws
\Boot\BCD
A^A\]
BootFilesServiced
fD9{
Failed to set locale data. Status = [%x]
Moving to Locate node
D$@L!t$hL
ZwQueryValueKey
NtWriteFile
@SUVWATAVAWH
UWATAUAWH
WATAUAVAWH
ro-RO
|$@Lr
u,f9]
quz-PE
RtlLengthSid
tn-BW
A_A^A]A\_
|$ E3
.CRT$XCAA
/s Specifies an optional volume letter parameter to designate
fD98u
sr-Cyrl-ME
\$ UH
NtQueryInformationFile
iu-Latn-CA
lv-LV
ADVAPI32.dll
addlast
O:SYG:SYD:P(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0x1200a9;;;BU)
bcdboot c:\windows /s h: /f UEFI
.00cfg
_wcsicmp
H!\$h
Failed to enumerate subobject elements. Status: %x
Failed to set boot entry order. Status: %x
FreeLibrary
@SUVWH
ZwLoadKey2
L$x!|$xE3
Failed to get token information! Error code = %#x
qps-plocm
Failed to enumerate objects. Status: %x
?H9l$Ht eH
es-CU
BcdOpenStore: Failed to add store from file %ws. StoreFlags: 0x%x Status: %x
UVWATAVH
ks-Deva-IN
OpenThreadToken
/l Specifies an optional locale parameter to use when
Opening store. Flags: 0x%x
t;H!\$0A
FWTYPE
CompanyName
fD9du
NtOpenDirectoryObject
EFI\Microsoft\Boot
copied. The default is the system partition identified by
GetCurrentThreadId
@A_A^_
nso-ZA
u HcA<H
@SVWATAUAVAWH
Failed load key %ws. Flags: 0x%x File: %s Status: %x
Process Name = %s
bcdboot <source> [/l <locale>] [/s <volume-letter> [/f <firmware>]] [/v]
93t@A
Boot manager to be overwritten by user policy.
Failed to initialize description key for store. Store: %s StoreKey: %ws Status: %x
Allocated %lu objects.
Failed to delete debugger settings element %08x. Status = [%x]
GetProcessHeap
Attempting to mount device %ws with volume name %ws
fy-NL
Sleep
GetFileSizeEx
es-EC
Failed to copy bootmgr object data. Status = [%x]
Failed to log servicing event to bootstat %ws. Status: 0x%x
Failed to update bootmgr display order. Status = [%x]
uz-Cyrl
fD9*t
GetUserDefaultUILanguage
H!\$8H
en-HK
L$0!\$0E3
OsLoader identifier: %wZ
{ AVH
sd-Deva-IN
BfspPrintFileOwnerProcess: NtOpenProcess failed!Status = %#x
BFSVC Error: %s
ZwCreateKey
Ft&A;Q
Error copying boot debugging files from %ws to %ws (%ws). Last Error = %#x
mi-NZ
H!}@I
D8mHu
tzm-Tfng-MA
RegOpenKeyExW
wcsncpy_s
|$Pf97
GuidCache
Unable to open file %s for read because the file or path does not exist
FindFirstFileW
_wcsnicmp
ZwEnumerateKey
Failed to set description key value. Store: %s StoreKey: %ws Status: %x
kn-IN
Creating new recovery store %ws
PA_A^A]A\_^]
\Device
ZwQuerySystemEnvironmentValueEx
\Device\HarddiskVolume
fA94Iu
l$ VWAVH
tk-TM
`A_A^A\_^[]
[/m [{OS Loader ID}]] [/addlast] [/p] [/c]
USVWAVH
FindNextFileNameW
Failed to acquire BCD sync mutant. Status: %x
zh-CN
ServiceBootFiles MuiOnly:%c Res:%c Fonts:%c BootMgrOvw:%c BootStatOvw:%c DbgTrn:%c SuspendBDE:%c
es-BO
/f Used with the /s command, specifies the firmware type of the
Failed to open handle to Memtest object. Status = [%x]
Translated a DontSync object to ID 0x%x
DISM_{53BFAE52-B167-4E2F-A258-0A37B57FF845}
th-TH
L$ SUVWH
en-NZ
BCD stores successfully cleaned.
Failed to determine source OS version.
si-LK
en-IN
ha-Latn
NtCreateEvent
es-419
DismShutdown
%s\%s.mui
\StringFileInfo\%04x%04x\InternalName
wcsrchr
EFIDEFAULT
sr-Cyrl-RS
gl-ES
ug-CN
WindowsSysPartDevice
fr-CA
bs-BA-Cyrl
D$PE3
tzm-Tfng
\EFI\Microsoft\Boot\
/d Specifies that the existing default windows boot entry
given loader object with the system template to produce a
fr-ML
t$HE3
hy-AM
memmove
ErrorCode
uiAccess="false"
Failed to set bootmgr tools display order. Status = [%x]
RPCRT4.dll
|SOURCE|\|FWTYPE|\|BOOTMGR|
f94Bu
__set_app_type
SystemStartOptions
Error creating boot status data log(%s)! Last Error = %#x
FindFirstFileNameW
mn-Cyrl
ar-MA
|SYSPART|
bootfix.bin
Failed to create path for default EFI application. Last error = %#x
GetVolumeNameForVolumeMountPointW
mni-IN
D$x9D$$A
Bcdboot - Bcd boot file creation and repair tool.
040904B0
D$PD9
|SYSPART|\|DEST|
List of debugger files is empty
.rdata$zETW2
CreateFileMappingW
@USVWAVH
NtQueryInformationThread
Failed to update object GUID string. Status: %x
Failed to get system partition! Last Error = %#x
en-PH
swprintf_s
Failed to query process info. Status: %x
HcA<H
A_A^A]A\_^]
A_A^]
l$HE3
CreatePath: Unable to create [%s]; GLE = 0x%x
Failed to flush system volume. Error = %#x
Mounted %ws at %ws
Failed to service spaces DLL. Last Error = %#x
Failed clear firmware namespace. File: %ws Flags: 0x%x Status: %x
SHLWAPI.dll
!\$pE3
SOURCE
ms-MY
Failed to delete orphaned ramdisk. Status = [%x]
sah-RU
ERROR
]oD93A
wcscat_s
st-ZA
cy-GB
Failed to mount device %ws
Failed to set element display order. Status = [%x]
ServiceSpaces: Skipping %s
br-FR
GetSecurityDescriptorControl failed! Error code = %#x
WideCharToMultiByte
RegQueryValueExW
does not exist, the entry is deleted.
t$(E3
@SVWH
VarFileInfo
VWAUAVAWH
_fmode
ve-ZA
CreatePath: Unable to create parent directory for [%s]; GLE = 0x%x
M H!}(L
the target system partition where boot environment files are
NtOpenFile
oc-FR
GetFileVersionInfoW
_vsnwprintf
smn-FI
DeleteFileEx: Trying to set back attributes on: %s
Failed to open new system store. Store: %ws Status: %x
Failed to get bootmgr custom actions. Status = [%x]
CreateFileW
smj-NO
BiExportEfiBootManager failed: %x
zh-TW
NtQueryDirectoryObject
ZwSetSystemEnvironmentValueEx
sysrepair
first.
Opening store from %ws
ZwClose
ca-ES
Done servicing debugger files.
Failed to open recovery store %ws. Status = [%x]
USVWATAUAVH
L$PE3
nl-NL
FormatMessageW
version="5.1.0.0"
et-EE
<security>
\System32\bootstr.dll
<!-- Copyright (c) Microsoft Corporation -->
H;A`u
<requestedExecutionLevel
prs-AF
Created boot entry 0x%x using cached variable
A_A^A]A\_
10.0.17763.1 (WinBuild.160101.0800)
BfsRepair: Failed to get ChkdskEx proc address %08x
xoD9g
\$ WH
BcdCopyObjectEx: Failed to get object description Flags: 0x%x Status: %x
RtlCaptureContext
RtlCompareMemory
bg-BG
x ATAVAWH
rw-RW
uz-Latn
REAGENT.DLL
0A^_]
D$( @
qps-Latn-x-sh
\\?\Harddisk%uPartition%u\%s
Reopening system store.
fD9$xu
Failed to mark system store. File: %ws Status: %x
ZwCreateFile
uz-Cyrl-UZ
Failed to open file %s for read! Error code = %#x
tzm-Latn
f9LF u
Failed to clear system store flag. Status: %x
%ws%ws
ServiceDebuggerFiles: %ws does not exist
\$<A;
fr-029
Failed to open handle to the OS loader object. Status = [%x]
GetStdHandle
l$(E3
fF9,pu
ChkDskErrorCode
Failed to allocate space for full path
A_A^_
bs-Cyrl-BA
quc-Latn
Failed to close new store. Store: %ws Status: %x
the firmware.
bcdboot c:\windows /s h:
WriteFile
NtClose
he-IL
NtTranslateFilePath
Failed to open a handle to the bootmgr element. Status = [%x]
Failed to flush the BCD to disk. Status = [%x]
Failed to delete "%ws" variable. Status: %x
A_A^A\
WINDOWS
az-Latn
D$ I;
H9\$P
fE9d]
x AUAVAWH
qps-ploca
be-BY
lt-LT
@USVWATAVAWH
nb-NO
ja-JP
D$h!t$XA
fE9$pu
9\uiH
BfspPrintFileOwnerProcess: NtQueryInformationProcessfailed in unexpected manner! Status = %#x
Creating OsLoader object.
ZwSaveKey
Failed to get element data. Status = [%x]
BfsRepair: Failed to service boot files. Error: %08x
gd-GB
__wgetmainargs
Failed to create store. Status: %x
Failed to open handle to fwbootmgr object. Status = [%x]
Failed to get handle to the template store. Status = [%x]
ru-MD
BcdCopyObjectEx: Failed to set target elements. Target: %ws Flags: 0x%x Element type: %lu Status: %x
RtlLookupFunctionEntry
Attempting to mount at letter %ws
NtEnumerateBootEntries
BfsRepair: Failed to get volume information %08x
de-CH
QueryPerformanceCounter
Failed to set element OS device. Status = [%x]
D;|$
NtSetInformationFile
CreateThreadpool
\Registry\Machine\System\CurrentControlSet\Control\MiniNT
Failed open newly loaded key %ws. Flags: 0x%x Status: %x
Failed to open process. Status: %x
BfsRepair: Failed to load FMIFS.DLL %08x
msvcrt.dll
\Registry\Machine\SYSTEM\CurrentControlSet\Control
\$ UVWATAUAVAWH
StringFileInfo
ar-EG
t$ WAVAWH
0A_A^A]A\_
!t$8H
H!t$8H
ZwFilterBootOption
GetSystemDefaultUILanguage
es-ES
Unable to GetVolumeNameForVolumeMountPoint %ws (%u).
BfsRepair: Failed to repair BCD store. Error: %08x
GetSecurityDescriptorGroup
.text$mn
Store will be accessed with offline registry APIs.
Error deleting bootnxt from the BOOT folder (%s)! Last Error = %#x
D$XE3
BFSVC: %s
Resources
Failed to open a handle to the OS loader element. Status = [%x]
WdsCopyFileEx: Failed to delete %s. GLE = 0x%x
DeleteVolumeMountPointW
Failed to create a new system store. Status = [%x]
ZwSetSecurityObject
\$@eH
\\?\UNC
H!}@H
t(D9eHu"E
fr-CI
should be added last. The default behavior is to add it
kok-IN
SUVWATAUAVAWH
fE9,Fu
Failed to expand Recovery directory path
%s%s%s
Boot entry exists for DontSync with ID 0x%x
uk-UA
BootNext
EventWriteTransfer
system partition and to create a new system BCD store.
WdsCopyFileEx: Failed to copy [%s] to [%s], GLE = 0x%x; will retry in %u ms
BCD strings MUI load failure %ws (%u).
f94_u
|SYSPART|\|DEST|\BCD
Failed to forcibly unload the system store. Status = [%x]
zh-Hans
sr-Cyrl-BA
Failed to open object %ws. Status: %x
FveOpenVolumeW
Failed to enumerate subelements. Status: %x
tg-Cyrl
NtQueryValueKey
Failed to find a key to load store %s. Last attempted key: %ws
L$`H3
f9,Ou
D$@E3
GetFileInformationByHandle
fr-CD
!|$`H
L$ SWH
H;E$u
ar-LY
bcdboot.pdb
Failed to set bootmgr display order. Status = [%x]
FONTS
F03C0
ks-Arab
Creating Resume object.
UuidCreate
fD9,yu
Failed to create create general objects. Status = [%x]
fE9$nu
HA_A^A]A\_^][
.rdata$zETW1
hu-HU
A^A\_^]
D$(!|$ H
9^$u%
ur-IN
RtlVirtualUnwind
|$ UH
sr-BA-Cyrl
tzm-Arab-MA
GetModuleFileNameW
USVWAUAVAWH
}@L9e
Failure when cleaning BCD stores.
BfsRepairSystemPartition flags(0x%08x), system root: %ws, online: %ws, boot files: %ws, caller: %d
Copying boot debugging files from %ws to %ws (%ws)
\ArcName\multi(0)disk(0)rdisk(0)
_wcsupr
|$XH9T$ht<H
fD9<Nu
System
BcdGetElementDataWithFlags: Failed to acquire BCD sync mutant. Status: %x
L$@H;
bcdclean
D;6s>
.CRT$XCA
Reducing duplicate resume entries.
Done validating partition/ramdisk %ws
NtQueryInformationProcess
new entry will be added in the first position.
KERNEL32.dll
A^A]A\_]
L$pL!t$@L
BfspPrintFileOwnerProcess: Failed to acquire debugprivilege
es-SV
Deleting boot entry 0x%x
BcdForciblyUnloadStore: Failed to acquire BCD sync mutant. Status: %x
Copying font files from %s to %s...
um9|$ptz
FirmwareModified
UnhandledExceptionFilter
f9,Cu
EventUnregister
Failed to open a handle to the ntldr element. Status = [%x]
BfspCopyFile failed to delete temporary file (%s)! Last Error = %#x.
Invalid attributes (%#x) specified for %s file!
wcscpy_s
G$H;A$u
GetVersionExW
@SUVWATAUAVAWH
MapViewOfFile
System store path: %s
A valid store must have a description key.
source Specifies the location of the windows system root.
VS_VERSION_INFO
\boot\BCD
A_A]_^]
Failed to query the identifier of the ntldr element. Status = [%x]
Creating General objects.
Copying boot files CopyBootManager(%s) %s -> %s
Failed to enumerate subkeys. Status: %x
x UATAUAVAWH
ff-NG
A_A^_^]
Failed to add system store from file. File: %ws Status: %x
as-IN
.CRT$XCZ
bsearch
L9t$Pt eH
sma-SE
\System32\config\BCD-Template
lb-LU
ServiceSpaces: Failed to copy %s to %s. Last Error = %#x
sv-SE
fD9<pu
imagehlp.dll
nn-NO
Failed to get file size for %s! Error code = %#x
L!t$(H
Failed to query processes. Status: %x
T$@f;U
D$(H!\$
H!|$`3
\ArcName\multi(0)disk(0)rdisk(1)
SystemPartition
u7A8Q
Found potential mount location at %C
Failed to validate boot manager checksum (%s)! Error code = %#x
\EFI\Microsoft\Boot\bootmgfw.efi
Failed to get aliased identifier. Status: %x
SeBackupPrivilege
BcdCopyObjectEx: Failed to get generate object guid. Flags: 0x%x Status: %x
initializing the BCD store. The default is US English.
Done validating partition %ws
.data
Failed to open key for object's elements. Status: %x
Resume application not found. Note, if you are servicing Windows PE or Windows RE boot files, you can ignore this message.
GetVolumePathNameW
A_A^A]A\_^][
fE9|E
ZwWaitForSingleObject
fD9$pu
/bcdclean Clean the BCD Store. By default, simply removes any duplicate
L$8H;
f9DV u
memset
H!|$@H
mt-MT
0A_A^A\_^][
RtlSetDaclSecurityDescriptor
fA94Au
Examples: bcdboot c:\windows /l en-us
Failed to create full file path
BcdCopyObjectEx: Failed to copy object. Target: %ws Flags: 0x%x Status: %x
DeleteFileEx: Unable to clear out attributes on [%s]; GLE = 0x%x
Unable to create tempory new store key. Status: %x
GetProcAddress
Failed to query boot entry order. Status: %x
dv-MV
ChkDisk: Finished Succesfully
!D$83
</trustInfo>
Failed to allocate memory for space for process name.
ProductName
Failed to allocate memory for mount location
ZwQueryKey
Failed to cleanup ramdisk options. Status = [%x]
Creating store.
LdrAccessResource
fE9<Fu
ga-IE
Failed to copy Boot Manager to default EFI application. Last error = %#x
.idata$6
fE9tu
ZwQueryBootOptions
el-GR
NtOpenProcess
Opening template from %ws.
BcdOpenStore failed with unexpected error code, Status = [%x]
Skipping current entry
WinRePostBCDRepair
fD9dA
Element
|$$\r3H
|SYSPART|\|DEST|\bootspaces.dll
tr-TR
Failed to open a handle to the template store. Status = [%x]
D$HE3
Failed to add WinRE entry. Status = [%x]
Object alias resolves to %s
PathRemoveBackslashW
Logging boot file servicing to bootstat log %ws.
bcdboot.exe
type="win32"
te-IN
t$ UWAVH
FileVersion
Error copying boot files from %s to %s! Last Error = %#x
|$"\u
fD9$Au
strncmp
Failed to open description key for store. Store: %s StoreKey: %ws Status: %x
p AWH
Locale
\Device\Harddisk%lu\Partition%lu
L9d$8t
ar-JO
GetConsoleMode
fD94Xu
sr-Cyrl
Failed to open key for all objects. Status: %x
97u*H
ar-KW
or-IN
UAVAWH
A_A^_
Timeout
RtlFreeUnicodeString
NtOpenSymbolicLinkObject
USVWATAVAWH
<requestedPrivileges>
ServiceDebuggerFiles: ConfigBuffer is too small
Opening object %s
D$4eH
quz-EC
fD9$ou
\Registry\Machine\System\CurrentControlSet\BootConfigurationData
Failed to get reference count to object. Status = [%x]
Create BOOTMGR object RetainBootDefault:%c
xA_A^A]A\_^[]
File %s is too large!
om-ET
VerQueryValueW
ConvertStringSecurityDescriptorToSecurityDescriptor failed! Error code = %#x
es-GT
D$d!t$tA
Failed to open element %ws key for delete. Status: %x
EventRegister
Too many unexplained failures. File: %s Last status: %x
es-PR
BiExportBcdObjects failed %x
kk-KZ
FindNextVolumeW
Failed to export alterations to firmware. Status: %x
de-LU
HeapAlloc
A_A^A\_^
fE9$Vu
Error expanding string %s. Last Error = %#x
EFI\Boot
es-PY
|$ UATAVH
Failed to load hive into key %ws from %s. Status: %x
__iob_func
ps-AF
.data$brc
Description
ibb-NG
Setting element %08x
%s\Partition%lu
9uXu9
H3E H3E
InternalName
GetFileAttributes(%s) failed! Last Error = %#x.
f9L]0t
en-AU
km-KH
Invalid VolumePathNameLegth %ws
hr-BA
Failed to copy resume object data. Status = [%x]
L9}8t
Failed to lookup privelege! Error code = %#x
hi-IN
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
NtOpenKey
.rsrc$02
The bcdboot.exe command-line tool is used to copy critical boot files to the
Failed to adopt new store. File: %ws Status: %x
Failed to get VolumeName for %ws %x
Error uncompressing boor manager (%s)! Last Error = %#x
Failed to enumerate logical drives
fr-RE
ZwDeleteKey
en-US
CheckSumMappedFile
ku-Arab
BFSVC
FindNextFileW
kernel32.dll
Source VolumeName %ws
nocleanup
D$PH!t$03
|SYSPART|\BOOTNXT
FindClose
ti-ET
Failed to query process information for size. Status: %x
ii-CN
BFSVC Warning: %s
VWATAVAWH
</requestedPrivileges>
SeSecurityPrivilege
Failed to get system partition. Status: %x
ca-ES-valencia
haw-US
GetCurrentProcessId
Failed to get a handle to the OS loader. Status = [%x]
ro-MD
H9T$P
@A^_^[]
Deleting object %ws with GUID %ws
t|D8-
es-PE
.rdata$zETW0
BcdCopyObjectEx: Failed to create object. Target: %ws Flags: 0x%x Status: %x
\KernelObjects\BcdSyncMutant
Error setting security attributes on %s. Last Error = %#x
pl-PL
!D$PA
vi-VN
BcdOpenStore: Failed to acquire BCD sync Mutant. Store: %wsFlags: 0x%x Status: %x
Failed to query boot options. Status: %x
ar-QA
WriteConsoleW
Found loaded store at key %s
lo-LA
fA9(tsM
Deleting element %08x blocked by secure boot policy.
@USWH
8\$@u&H
target system partition. Options for <firmware> are 'UEFI',
processorArchitecture="amd64"
ms-BN
fr-CM
.CRT$XIZ
D9&vID
Failed to find volume name for %ws
ServiceSpaces: Failed to create path %s. Last error = %#x
bootmgr
MININT
PortableOperatingSystem
!This program cannot be run in DOS mode.
Elements
fA9<Gu
@A^_^
|SYSPART|\|DEST|\BOOTNXT
fA9<Fu
Failed to set element application device. Status = [%x]
Failed to get the size needed for the registry data. Status: %x
\$(!\$x
\Registry\Machine
BfsRepair: Failed to get system volume %08x
A_A^A]A\_^[
GetLocaleInfoW
D$xE3
t>H9{
entries in the BCD. Can be followed by 'full'. In this case,
GetCurrentThread
Failed to open recovery store. Status = [%x]
Failed to get system store path. Status: %x
Failure when attempting to copy boot files.
|SYSPART|\|EFIDEFAULT|
Failed to populate BCD store. Status = [%x]
9H t,H
RtlStringFromGUID
Failed to get user token! Error code = %#x
/p Specifies that the windows boot manager firmware entry
Failed to initialize global state. Status = [%x]
BfsRepair: Failed to open system store. Status: %08x
f9H\u
W\VarFileInfo\Translation
es-NI
Boot files successfully created.
\$ E3
ConvertStringSecurityDescriptorToSecurityDescriptorW
bn-BD
I!>!>H
sr-Latn
Harddisk
Failed to enumerate objects
\\.\Spaceport
8A_A^A]A\_^[]
GetCurrentProcess
BiExportStoreAlterationsToEfi failed %x
\\?\GLOBALROOT
cs-CZ
so-SO
Done validating Device for %ws
Reducing duplicate winre entries.
fa-IR
K SWH
|EFIDEFAULT|\|DEFAULTAPP|
d$ E3
Could not open the BCD template store. Status = [%x]
BiBuildIdentifierList failed %x
Error creating boot status data log(%s)! Bytes written = %#x, desired = %#x
Failed to convert user SID! Error code = %#x
LocalFree
Failed to create hive. Store: %ws Status: %x
Attempting to enumerate objects
@8}@t
D$8E3
</assembly>
L!t$(3
smj-SE
K USVWH
mn-Mong-CN
Translation
A_A^A]A\_^]
en-MY
RtlCreateAcl
rm-CH
mr-IN
se-NO
(A_A^A]A\_^][
H!t$ 3
it-IT
Failed to copy OS loader object data. Status = [%x]
SYSPART
wcsncmp
NtQuerySymbolicLinkObject
zh-SG
ProductVersion
Failed to modify boot entry 0x%x. Status: %x
FlushFileBuffers
fD9/u
ZwDeviceIoControlFile
|SOURCE|\|FONTS|
api-ms-win-eventing-provider-l1-1-0
iu-CA-Latn
GetSecurityDescriptorGroup failed! Error code = %#x
sv-FI
L9t$Ht eH
t$PE3
Object GUID: %s
Failed to retrieve spaces physical partitions. Last Error = %#x
gu-IN
I0t&A
.CRT$XIAA
fD9<Au
Microsoft.Windows.BootFileServicing
FveGetStatusW
DismGetFeatureInfo
L9d$@t
A_A^A\_^[]
Attempting to determine owner of file %ws.
Windows
Failed to set element associated resume object. Status = [%x]
D$@!@
es-US
iu-Cans
BOOTMGR
D$0E3
quz-BO
level="asInvoker"
fD9$Yu
T$H!|$@H
bootmgfw.efi
\Registry\Machine\SYSTEM\CurrentControlSet\Control\Syspart
.idata$2
Failed to cleanup ramdisk options in recovery store. Status = [%x]
hsb-DE
pa-Arab-PK
|BOOTMGR|
x AVH
Failed to bind with firmware. Flags: 0x%x Status: %x
_ultow_s
D$8L;
sr-Cyrl-CS
Failed to create Recovery directory. Last error = %#x
LookupPrivilegeValueW
Failed to open a handle to the bootmgr. Status = [%x]
FveCommitChanges
.xdata
|SOURCE|\|FWTYPE|
.gfids
zh-CHS
fD9<Xu
ZwModifyBootEntry
BfspPrintFileOwnerProcess: Malloc failed!Size = %#x
FindVolumeClose
Failed to query "%ws" variable. Status: %x
Failed to convert guid to string. Status: %x
Operating System
Copying object. Flags: 0x%x
Failed to open system store. Status: %x
L$puAH
Failed to open object. Status = [%x]
GetModuleHandleExW
RtlFreeSid
T$pE;
Caller
_cexit
fr-CH
GetSecurityDescriptorOwner
es-UY
se-SE
es-CO
CloseThreadpool
BootDebuggerFiles.PCAT
LdrFindResource_U
ZwOpenSymbolicLinkObject
t$ WATAUAVAWH
Failed to open file attributes. Status: %x
GetLastError
@USVWATAUAVAWH
UWAWH
_commode
|DEST|\bootspaces.dll
ar-IQ
\$XE2
Error creating boot status data log(%s)! Unable to allocate memory
Store will be synchronized with firmware.
_amsg_exit
ZwOpenFile
fD9$Gu
es-VE
p WATAUAVAWH
?terminate@@YAXXZ
_snwscanf_s
NtDeviceIoControlFile
bin-NG
\$HE3
sr-Latn-BA
Translated a DontSync entry with ID 0x%x
Binding EFI namespace objects
D9|$0
Unknown
fD94Gu
Failed to delete duplicate loader object. Status = [%x]
Failed to open key for all object's elements. Status: %x
es-MX
ZwAllocateUuids
pA_A^A]A\_^]
u+D9Q
|SYSPART|\BOOTTGT
Failed to set bootmgr resume object. Status = [%x]
BCD Error: %ws
bn-IN
sr-BA-Latn
A_A^A]A\]
A_A^A]_]
/v Enables verbose mode.
BCD Warning: %ws
bcdboot c:\windows /m {d58d10c6-df53-11dc-878f-00064f4f4e08}
ServiceSpaces: %s does not exist
fA9\E
BfsChkDsk: %ws
_wfopen_s
`.rdata
NtWaitForSingleObject
Failed to expand default EFI application location.
ar-BH
RegCloseKey
0A_A^A\_]
BfsCleanupBcdStore flags(0x%x)
H!D$@E3
|$ UATAUAVAWH
de-LI
;E,t%eH
RtlAllocateHeap
kl-GL
_vsnwprintf_s
PE Information
| Image Base | Entry Point | Reported Checksum | Actual Checksum | Minimum OS Version | PDB Path | Compile Time | Import Hash |
|---|---|---|---|---|---|---|---|
| 0x140000000 | 0x00022410 | 0x0003f52a | 0x0003f52a | 10.0 | bcdboot.pdb | 2012-03-18 09:03:08 | 0df5a549f1ae5ebf05d5733b13f6f571 |
Version Infos
| CompanyName | Microsoft Corporation |
|---|---|
| FileDescription | Bcdboot utility |
| FileVersion | 10.0.17763.1 (WinBuild.160101.0800) |
| InternalName | bcdboot.exe |
| LegalCopyright | รยฉ Microsoft Corporation. All rights reserved. |
| OriginalFilename | bcdboot.exe |
| ProductName | Microsoftรยฎ Windowsรยฎ Operating System |
| ProductVersion | 10.0.17763.1 |
| Translation | 0x0409 0x04b0 |
Sections
| Name | RAW Address | Virtual Address | Virtual Size | Size of Raw Data | Characteristics | Entropy |
|---|---|---|---|---|---|---|
| .text | 0x00000400 | 0x00001000 | 0x00021ca0 | 0x00021e00 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ | 6.19 |
| .rdata | 0x00022200 | 0x00023000 | 0x0001441a | 0x00014600 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 4.10 |
| .data | 0x00036800 | 0x00038000 | 0x00000850 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 1.61 |
| .pdata | 0x00036a00 | 0x00039000 | 0x00000ee8 | 0x00001000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 5.16 |
| .rsrc | 0x00037a00 | 0x0003a000 | 0x00002ce0 | 0x00002e00 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 3.44 |
| .reloc | 0x0003a800 | 0x0003d000 | 0x00000794 | 0x00000800 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ | 5.27 |
| Name | Offset | Size | Language | Sub-language | Entropy | File type |
|---|---|---|---|---|---|---|
| MUI | 0x0003cc10 | 0x000000d0 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 2.70 | None |
| RT_MESSAGETABLE | 0x0003a780 | 0x0000248c | LANG_ENGLISH | SUBLANG_ENGLISH_US | 3.23 | None |
| RT_VERSION | 0x0003a3f0 | 0x0000038c | LANG_ENGLISH | SUBLANG_ENGLISH_US | 3.46 | None |
| RT_MANIFEST | 0x0003a140 | 0x000002ab | LANG_ENGLISH | SUBLANG_ENGLISH_US | 4.93 | None |
Imports
| Name | Address |
|---|---|
| ?terminate@@YAXXZ | 0x140026090 |
| _commode | 0x140026098 |
| _fmode | 0x1400260a0 |
| __C_specific_handler | 0x1400260a8 |
| _wcsicmp | 0x1400260b0 |
| _cexit | 0x1400260b8 |
| _exit | 0x1400260c0 |
| exit | 0x1400260c8 |
| memmove | 0x1400260d0 |
| __set_app_type | 0x1400260d8 |
| _initterm | 0x1400260e0 |
| memcpy | 0x1400260e8 |
| memcmp | 0x1400260f0 |
| __iob_func | 0x1400260f8 |
| __wgetmainargs | 0x140026100 |
| _amsg_exit | 0x140026108 |
| _XcptFilter | 0x140026110 |
| _wsetlocale | 0x140026118 |
| wcscpy_s | 0x140026120 |
| swprintf_s | 0x140026128 |
| __setusermatherr | 0x140026130 |
| bsearch | 0x140026138 |
| wcsncmp | 0x140026140 |
| strncmp | 0x140026148 |
| wcsncpy_s | 0x140026150 |
| wcsnlen | 0x140026158 |
| wcsstr | 0x140026160 |
| _wcslwr | 0x140026168 |
| _snwscanf_s | 0x140026170 |
| wcstoul | 0x140026178 |
| _ultow_s | 0x140026180 |
| wcschr | 0x140026188 |
| fwprintf | 0x140026190 |
| _vsnwprintf_s | 0x140026198 |
| fclose | 0x1400261a0 |
| _wfopen_s | 0x1400261a8 |
| fflush | 0x1400261b0 |
| wcscat_s | 0x1400261b8 |
| _wcsnicmp | 0x1400261c0 |
| _wcsupr | 0x1400261c8 |
| wcsrchr | 0x1400261d0 |
| _vsnwprintf | 0x1400261d8 |
| memset | 0x1400261e0 |
| Name | Address |
|---|---|
| UuidCreate | 0x140026060 |
| Name | Address |
|---|---|
| CheckSumMappedFile | 0x140026080 |
| Name | Address |
|---|---|
| PathRemoveBackslashW | 0x140026070 |
| Name | Address |
|---|---|
| EventRegister | 0x140025d58 |
| LookupPrivilegeValueW | 0x140025d60 |
| GetSecurityDescriptorSacl | 0x140025d68 |
| AdjustTokenPrivileges | 0x140025d70 |
| RegCloseKey | 0x140025d78 |
| RegOpenKeyExW | 0x140025d80 |
| RegQueryValueExW | 0x140025d88 |
| GetSecurityDescriptorDacl | 0x140025d90 |
| GetSecurityDescriptorGroup | 0x140025d98 |
| SetNamedSecurityInfoW | 0x140025da0 |
| GetSecurityDescriptorControl | 0x140025da8 |
| GetSecurityDescriptorOwner | 0x140025db0 |
| OpenProcessToken | 0x140025db8 |
| ConvertSidToStringSidW | 0x140025dc0 |
| ConvertStringSecurityDescriptorToSecurityDescriptorW | 0x140025dc8 |
| OpenThreadToken | 0x140025dd0 |
| GetTokenInformation | 0x140025dd8 |
| EventWriteTransfer | 0x140025de0 |
| EventUnregister | 0x140025de8 |
Usage
Processing ( 11.23 seconds )
- 10.545 ProcessMemory
- 0.677 CAPE
- 0.006 AnalysisInfo
- 0.005 BehaviorAnalysis
- 0.001 Debug
Signatures ( 0.05 seconds )
- 0.008 ransomware_files
- 0.005 antianalysis_detectfile
- 0.005 antiav_detectreg
- 0.005 ransomware_extensions
- 0.003 ursnif_behavior
- 0.002 antiav_detectfile
- 0.002 infostealer_bitcoin
- 0.002 infostealer_ftp
- 0.002 infostealer_im
- 0.002 poullight_files
- 0.002 territorial_disputes_sigs
- 0.001 antianalysis_detectreg
- 0.001 antivm_vbox_files
- 0.001 antivm_vbox_keys
- 0.001 geodo_banking_trojan
- 0.001 browser_security
- 0.001 disables_backups
- 0.001 disables_browser_warn
- 0.001 disables_power_options
- 0.001 disables_system_restore
- 0.001 azorult_mutexes
- 0.001 cryptbot_files
- 0.001 echelon_files
- 0.001 infostealer_mail
- 0.001 masquerade_process_name
- 0.001 revil_mutexes
- 0.001 modirat_behavior
Reporting ( 0.01 seconds )
- 0.004 CAPASummary
- 0.001 JsonDump
Signatures
The PE file contains a PDB path
pdbpath: bcdboot.pdb
SetUnhandledExceptionFilter detected (possible anti-debug)
Yara detections observed in process dumps, payloads or dropped files
Hit: PID 6212 triggered the Yara rule 'shellcode_get_eip' with data '['{ E8 00 00 00 00 59 }']'
Anomalous binary characteristics
anomaly: Entrypoint of binary is located outside of any mapped sections
Screenshots
No screenshots available.Hosts
No hosts contacted.
DNS
No domains contacted.
Summary
C:\Users\Packager\AppData\Local\Temp\bcdboot.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck
Sorry! No behavior.
Sorry! No strace.
Sorry! No tracee.
No hosts contacted.
No TCP connections recorded.
No UDP connections recorded.
No domains contacted.
HTTP Requests
No HTTP(s) requests performed.
SMTP traffic
No SMTP traffic performed.
IRC traffic
No IRC requests performed.
No ICMP traffic performed.
CIF Results
No CIF Results
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Suricata HTTP
No Suricata HTTP
Sorry! No Suricata Extracted files.
Sorry! No dropped files.
Sorry! No process dumps.
Sorry! No process dumps.