gpscript.exe

  • File Path: C:\WINDOWS\SysWOW64\gpscript.exe
  • Description: Group Policy Script Application

Hashes

Type Hash
MD5 4F368C54C849BEF096759C624F1366A4
SHA1 25110F991BC84110DA35065EFF9F88AEEF6D124B
SHA256 94289FD0FF0691637042AE25A6F45569B4FE36C5651672E477D198351C7BE673
SHA384 4BDCC74C52E64D17C232E3EE7FCAC68AA0A49546FA1CB060E5CE28179880CC7166719669FD3ADF6FD797593D92FC0746
SHA512 43D3A045FF044A43CE9FC75F81DD7B915726E53B9231B76B253D5F4E2A20705686FA28DF36B8B4EC7344D6B070DB4E468438F172E6CBD69A738DFAB696FB1847
SSDEEP 768:illU+Bk3nqOv/5Tv/dvAi7cpqePpAQdT3PwElD/:q++Bk3qOv/5Tv/Z7cFPpAQdTfwElD/
IMP 5C9ADBC2A218AEE3FE31C3D2507C5911
PESHA1 C492F748C5650EE36C80D76A6623FC79BC621B9C
PE256 BB3142BE4BD0B607AD64C8E24D94CA0D248A28F676D2F8C714A68BA50FB3DD77

Runtime Data

Loaded Modules:

Path
C:\WINDOWS\SYSTEM32\ntdll.dll
C:\WINDOWS\System32\wow64.dll
C:\WINDOWS\System32\wow64base.dll
C:\WINDOWS\System32\wow64con.dll
C:\WINDOWS\System32\wow64cpu.dll
C:\WINDOWS\System32\wow64win.dll
C:\WINDOWS\SysWOW64\gpscript.exe

Signature

  • Status: Signature verified.
  • Serial: 33000002ED2C45E4C145CF48440000000002ED
  • Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: GPSCRIPT.EXE
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.22000.1 (WinBuild.160101.0800)
  • Product Version: 10.0.22000.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: Unknown

Possible Misuse

The following table contains possible examples of gpscript.exe being misused. While gpscript.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
LOLBAS Gpscript.yml Name: Gpscript.exe  
LOLBAS Gpscript.yml - Command: Gpscript /logon  
LOLBAS Gpscript.yml - Command: Gpscript /startup  
LOLBAS Gpscript.yml - Path: C:\Windows\System32\gpscript.exe  
LOLBAS Gpscript.yml - Path: C:\Windows\SysWOW64\gpscript.exe  
LOLBAS Gpscript.yml - IOC: Execution of Gpscript.exe after logon  
LOLBAS Gpscript.yml - Link: https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/  

MIT License. Copyright (c) 2020-2021 Strontic.