gpscript.exe

  • File Path: C:\Windows\SysWOW64\gpscript.exe
  • Description: Group Policy Script Application

Hashes

Type Hash
MD5 CD4E4D21E316810DAC1274761D79D84B
SHA1 D8785C2442A34EBFAED7A8F95E064374261A5B57
SHA256 BA34765365FE1D6CE2864CABBC3A8864782C38722F7B24B7A0325E6A144868EE
SHA384 F596492BDB6D7E08BA4C94E146362866C805EC22CE00C838F60C7FCE70425E3FB55BEF1B05C5B9513D5A0028BD2F71D9
SHA512 51BF13A0B899B2303E04ADFF8BB9394FD4669D4984338715903176B812FBE4F7A0F5C99104A42D757E97730AB3A95E80F57C3F519823DCFDA7DFAE279846B4CA
SSDEEP 768:FMQX1flU+Bk3sc5At0j45vz/SrO7LJfiMzoKtudTy7Mapo0x:z++Bk3sc5W0j4Vz/SrU45QudTMMapv
IMP 53F08A1EE2C1A1E73577729E316B9F9F
PESHA1 55BFEDC45A1B5B18B8170AD6E64F6140D7A7402E
PE256 02212692010035817FF13AD6355FB4F72B163136054F8352C0818CF60FF65923

Runtime Data

Loaded Modules:

Path
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll
C:\Windows\SysWOW64\gpscript.exe

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: GPSCRIPT.EXE
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.17763.1518 (WinBuild.160101.0800)
  • Product Version: 10.0.17763.1518
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: Unknown

Possible Misuse

The following table contains possible examples of gpscript.exe being misused. While gpscript.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
LOLBAS Gpscript.yml Name: Gpscript.exe  
LOLBAS Gpscript.yml - Command: Gpscript /logon  
LOLBAS Gpscript.yml - Command: Gpscript /startup  
LOLBAS Gpscript.yml - Path: C:\Windows\System32\gpscript.exe  
LOLBAS Gpscript.yml - Path: C:\Windows\SysWOW64\gpscript.exe  
LOLBAS Gpscript.yml - IOC: Execution of Gpscript.exe after logon  
LOLBAS Gpscript.yml - Link: https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/  

MIT License. Copyright (c) 2020-2021 Strontic.