gpscript.exe

  • File Path: C:\Windows\SysWOW64\gpscript.exe
  • Description: Group Policy Script Application

Hashes

Type Hash
MD5 3F4B3FD2E3980E2BC71B7B036F0C69B6
SHA1 94404F6819A4EAA5C9B8ACF37AF712ED323DE31E
SHA256 10DA9175BC408CB270B4CF24167BAB915E34BD5ABB3D2BCE3EC9D3E68A329622
SHA384 1AA4FB65AB5311303C8A55572FF174989C7C5118DEB765738155A0AF120754E01845485E66721EF68491FA0FF7A0DF1D
SHA512 99BD50CD7F2CAE762CEF530C83655F08F542AEF1F0AD87D4656BC099DB1BACCD5AABE0AFB9B0981AA741802DB2980C6A4BF7AF85742EE143CB78139AFBFA4B9B
SSDEEP 768:34ylU+Bk31/K85lA4x209jfEXapTEza8Bj2rn1TdTKZvLss:d++Bk31S85lA4xsSTEzQn1TdTevLs
IMP 9AFFCA7D865BD1DE5A91261C9981D95C
PESHA1 E97D450A5536737829FEBF545B7A338F99E456D4
PE256 0078C04117B045EF0325635BD8C4791F566630677DB07018459070E12F350987

Runtime Data

Loaded Modules:

Path
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll
C:\Windows\SysWOW64\gpscript.exe

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: GPSCRIPT.EXE
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/71
  • VirusTotal Link: https://www.virustotal.com/gui/file/10da9175bc408cb270b4cf24167bab915e34bd5abb3d2bce3ec9d3e68a329622/detection/

Possible Misuse

The following table contains possible examples of gpscript.exe being misused. While gpscript.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
LOLBAS Gpscript.yml Name: Gpscript.exe  
LOLBAS Gpscript.yml - Command: Gpscript /logon  
LOLBAS Gpscript.yml - Command: Gpscript /startup  
LOLBAS Gpscript.yml - Path: C:\Windows\System32\gpscript.exe  
LOLBAS Gpscript.yml - Path: C:\Windows\SysWOW64\gpscript.exe  
LOLBAS Gpscript.yml - IOC: Execution of Gpscript.exe after logon  
LOLBAS Gpscript.yml - Link: https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/  

MIT License. Copyright (c) 2020-2021 Strontic.