gflags.exe
- File Path:
C:\Program Files (x86)\Windows Kits\10\Debuggers\arm64\gflags.exe - Description: Microsoft NT Global Flags Manipulator
Hashes
| Type | Hash |
|---|---|
| MD5 | 2812F8CB93873242F6A76058A8EF67DB |
| SHA1 | 6AEB207485B19A491A96044EA14D5FAA88D205F1 |
| SHA256 | 444EC25F2326C8E0B4111FDC7068115E2ACC397CBB7353C933E9AC13302CF9D6 |
| SHA384 | 70D5361C4608CF523B4D90AB2C144757DDC2BC78AD03074FB49F9126B7E6ED54EF62F7D243D38129440C4F70C002BB55 |
| SHA512 | 486CFADCF3EBA5130D4A679F96C3E5CA7BABA8AF25CD63215C886DEE89B860A34BBF9251A95EB6CC6356CEE170616D48AE907C58BF8B389EFFE84B32A044AFE9 |
| SSDEEP | 1536:0PK4gkN5DBivIbZUzY7x443ySndRfD4eRC5GCAXVcg0ycJ:9BSndRfD4eRovAFcg0ycJ |
| IMP | 981942E76E9072C66057E1B72D92A0BF |
| PESHA1 | CC2EAE1964D32C8AA430B26D20B099C8A6B84966 |
| PE256 | 8D861C36F9F8D305A6F3BB13E9CEC98CE01C2292E2BAE845546216876B4EE8D6 |
Signature
- Status: Signature verified.
- Serial:
33000002B7E8E007A82AEF13150000000002B7 - Thumbprint:
5A68625F1A516670A744F7EF919500A479D32A5B - Issuer: CN=Microsoft Code Signing PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows Kits Publisher, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: GFLAGS.EXE
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 10.0.19041.1 (WinBuild.160101.0800)
- Product Version: 10.0.19041.1
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
- Machine Type: 64-bit ARM
File Scan
- VirusTotal Detections: 1/75
- VirusTotal Link: https://www.virustotal.com/gui/file/444ec25f2326c8e0b4111fdc7068115e2acc397cbb7353c933e9ac13302cf9d6/detection
Possible Misuse
The following table contains possible examples of gflags.exe being misused. While gflags.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| atomic-red-team | T1546.012.md | IFEOs can be set directly via the Registry or in Global Flags via the GFlags tool. (Citation: Microsoft GFlags Mar 2017) IFEOs are represented as Debugger values in the Registry under HKLM\SOFTWARE{\Wow6432Node}\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ |
MIT License. © 2018 Red Canary |
| atomic-red-team | T1546.012.md | IFEOs can also enable an arbitrary monitor program to be launched when a specified program silently exits (i.e. is prematurely terminated by itself or a second, non kernel-mode process). (Citation: Microsoft Silent Process Exit NOV 2017) (Citation: Oddvar Moe IFEO APR 2018) Similar to debuggers, silent exit monitoring can be enabled through GFlags and/or by directly modifying IFEO and silent process exit Registry values in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\. (Citation: Microsoft Silent Process Exit NOV 2017) (Citation: Oddvar Moe IFEO APR 2018) |
MIT License. © 2018 Red Canary |
MIT License. Copyright (c) 2020-2021 Strontic.