grpconv.exe

  • File Path: C:\WINDOWS\system32\grpconv.exe
  • Description: Windows Progman Group Converter

Hashes

Type Hash
MD5 1FA22ECCDF70C94FF98C4BD893E21730
SHA1 15E177B0F5CC3EADA73716C7A26C171302963B29
SHA256 D53A071C85A1A645C9EE40C599A1BDF65FBD92F366CBB07ADB1813F0F8A46D06
SHA384 55AC29AFA4ABD37C33734776F7DC96BDD53E344DE79517B231CCAE98F53144A23304B522BF9650218E14109B0E73749E
SHA512 AD698F60B5212181AAD5A554965134DEFBF45C7376D72045B99810E8CA99C0DCF39DBE18F1096F61A25B843506E1B4EC0C08B1CFD84D495D509DBBD29A3711BB
SSDEEP 384:8bC5YCcUfdhhjJWNDDn29zuONwcsniUcZbJEe06GWtsW:J55JdKDnoZOniUcZbGez
IMP DF6575A8914FBE570472A31E0CECAC12
PESHA1 DA73F2EDFD2B3B4F7F758E1C94CEACD2E6D426C5
PE256 A4CCEAB5C184DC2469C50685D930A0CB4D66560DDBABAE42EDC8A29D999B7640

Runtime Data

Loaded Modules:

Path
C:\WINDOWS\System32\ADVAPI32.dll
C:\WINDOWS\system32\grpconv.exe
C:\WINDOWS\System32\KERNEL32.DLL
C:\WINDOWS\System32\KERNELBASE.dll
C:\WINDOWS\System32\msvcrt.dll
C:\WINDOWS\SYSTEM32\ntdll.dll
C:\WINDOWS\System32\sechost.dll

Signature

  • Status: Signature verified.
  • Serial: 33000002ED2C45E4C145CF48440000000002ED
  • Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: GRPCONV.EXE.MUI
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.22000.1 (WinBuild.160101.0800)
  • Product Version: 10.0.22000.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/73
  • VirusTotal Link: https://www.virustotal.com/gui/file/d53a071c85a1a645c9ee40c599a1bdf65fbd92f366cbb07adb1813f0f8a46d06/detection

Possible Misuse

The following table contains possible examples of grpconv.exe being misused. While grpconv.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma registry_event_asep_reg_keys_modification_wow6432node.yml - Details: 'grpconv -o' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.