gpscript.exe

  • File Path: C:\WINDOWS\system32\gpscript.exe
  • Description: Group Policy Script Application

Hashes

Type Hash
MD5 9CCE3D07F1A89F015CD10C934C4D1DFF
SHA1 6C65EDE69098337EC23E3F8A06C5EA45AC37ACD1
SHA256 10B96283C695170F30CFC85E7162D9711F691D721F2556F85AA6D62049B80A9F
SHA384 95F49293C20DF1A468B4009E6C668EDDA3640DBF9386FBC1BED4BB730B96B641D41DA83C2C7B108B16E225F36D8AFC74
SHA512 C808C580340F864175AD00E9A03963F1E199B642CCC2F2D3D97496172D51736A0B20AD8052AFD3CC94DA17C90FB6F07D01E16E4A61C9C86F920D0354DC220004
SSDEEP 1536:q9rjhXgRbpDVwzT/+1+ex0HzNQdTgNRcpWj:wr1XgZwv/+1+ex0ZKgNRb
IMP 0312517760E528DF62EB9D3BA0585088
PESHA1 D955CF38EFB168C694EB5D6EC285AF7EF2A99F20
PE256 6C5030A90DD9FCEB9FE782058365DF1AB894356B691B5F5AE1CA79F578354240

Runtime Data

Loaded Modules:

Path
C:\WINDOWS\system32\gpscript.exe
C:\WINDOWS\System32\KERNEL32.DLL
C:\WINDOWS\System32\KERNELBASE.dll
C:\WINDOWS\SYSTEM32\ntdll.dll
C:\WINDOWS\System32\USER32.dll
C:\WINDOWS\System32\win32u.dll

Signature

  • Status: Signature verified.
  • Serial: 33000002ED2C45E4C145CF48440000000002ED
  • Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: GPSCRIPT.EXE
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.22000.1 (WinBuild.160101.0800)
  • Product Version: 10.0.22000.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/72
  • VirusTotal Link: https://www.virustotal.com/gui/file/10b96283c695170f30cfc85e7162d9711f691d721f2556f85aa6d62049b80a9f/detection

Possible Misuse

The following table contains possible examples of gpscript.exe being misused. While gpscript.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
LOLBAS Gpscript.yml Name: Gpscript.exe  
LOLBAS Gpscript.yml - Command: Gpscript /logon  
LOLBAS Gpscript.yml - Command: Gpscript /startup  
LOLBAS Gpscript.yml - Path: C:\Windows\System32\gpscript.exe  
LOLBAS Gpscript.yml - Path: C:\Windows\SysWOW64\gpscript.exe  
LOLBAS Gpscript.yml - IOC: Execution of Gpscript.exe after logon  
LOLBAS Gpscript.yml - Link: https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/  

MIT License. Copyright (c) 2020-2021 Strontic.