scrcons.exe

  • File Path: C:\WINDOWS\system32\wbem\scrcons.exe
  • Description: WMI Standard Event Consumer - scripting

Hashes

Type Hash
MD5 52AA7D6A4672FDE997E8909946103BCE
SHA1 1083726E188E43A2DFCD60D1F182A09749DA6AB6
SHA256 30AD459B1AA86DF2D32973B4A36FAE66E3F8F1E6CFA3B99A422DDA041E5C1082
SHA384 88BE0530CDF6ADDBA240EAA2BEC5E07073954EE56465D8934F00F848FB6C7EE896A80A7A3292DB4E4C9DF86726A89A85
SHA512 69BD3ABAB8C1F466458DC3CB899AD5C17A06E960FC52FA569E86CDE485CCDB932EFA364048D8F511167C2AE2F18261549E61F58A9A4A87C7C7F57B8C48279565
SSDEEP 1536:acDI1alzfgkypCAxN6LtulvPSAvfAfM1VQr+nJbFTLIbec:aylzOYAxN6Ltul3VvYfwVQr+nJbxQr
IMP 44D9C29F825F698B0B8C32EAAB43F9EA
PESHA1 7DF0DE7FCA4E7402E4F1A3BDE81D7C1925425FB1
PE256 DBEA8DC635D128F51B6EEBBC7FDEB345030E784E34F66CE3AAF784AE1DCCE662

Runtime Data

Usage (stdout):

Cannot run standalone

Loaded Modules:

Path
C:\WINDOWS\System32\KERNEL32.DLL
C:\WINDOWS\System32\KERNELBASE.dll
C:\WINDOWS\SYSTEM32\ntdll.dll
C:\WINDOWS\system32\wbem\scrcons.exe

Signature

  • Status: Signature verified.
  • Serial: 33000002ED2C45E4C145CF48440000000002ED
  • Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: ScrCons
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.22000.1 (WinBuild.160101.0800)
  • Product Version: 10.0.22000.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/74
  • VirusTotal Link: https://www.virustotal.com/gui/file/30ad459b1aa86df2d32973b4a36fae66e3f8f1e6cfa3b99a422dda041e5c1082/detection

Possible Misuse

The following table contains possible examples of scrcons.exe being misused. While scrcons.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma godmode_sigma_rule.yml - '*\scrcons.exe' DRL 1.0
sigma win_scrcons_remote_wmi_scripteventconsumer.yml ProcessName\|endswith: 'scrcons.exe' DRL 1.0
sigma file_event_win_wmi_persistence_script_event_consumer_write.yml Image: 'C:\WINDOWS\system32\wbem\scrcons.exe' DRL 1.0
sigma image_load_scrcons_imageload_wmi_scripteventconsumer.yml description: Detects signs of the WMI script host process %SystemRoot%\system32\wbem\scrcons.exe functionality being used via images being loaded by a process. DRL 1.0
sigma image_load_scrcons_imageload_wmi_scripteventconsumer.yml Image\|endswith: '\scrcons.exe' DRL 1.0
sigma pipe_created_susp_wmi_consumer_namedpipe.yml description: Detects the WMI Event Consumer service scrcons.exe creating a named pipe DRL 1.0
sigma pipe_created_susp_wmi_consumer_namedpipe.yml Image\|endswith: '\scrcons.exe' DRL 1.0
sigma proc_creation_win_office_shell.yml - '\scrcons.exe' DRL 1.0
sigma proc_creation_win_outlook_shell.yml - '\scrcons.exe' DRL 1.0
sigma proc_creation_win_script_event_consumer_spawn.yml description: Detects a suspicious child process of Script Event Consumer (scrcons.exe). DRL 1.0
sigma proc_creation_win_script_event_consumer_spawn.yml - https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-analytics-alert-reference/cortex-xdr-analytics-alert-reference/scrcons-exe-rare-child-process.html DRL 1.0
sigma proc_creation_win_script_event_consumer_spawn.yml - '\scrcons.exe' DRL 1.0
sigma proc_creation_win_susp_shell_spawn_by_java.yml - '\scrcons.exe' DRL 1.0
sigma proc_creation_win_susp_shell_spawn_by_java_keytool.yml - '\scrcons.exe' DRL 1.0
sigma proc_creation_win_wmi_persistence_script_event_consumer.yml Image: C:\WINDOWS\system32\wbem\scrcons.exe DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.