wsqmcons.exe

  • File Path: C:\Windows\system32\wsqmcons.exe
  • Description: Windows SQM Consolidator

Hashes

Type Hash
MD5 94CD268C54DB44FBA471C7C47EC47D9B
SHA1 5265DA9D4097CB7A2603E3284775F64EC3CFE89E
SHA256 4D7FF4545DC15CE1DD21A7BC596AD9C58C851E17E296A0323646DBFEFF251764
SHA384 45E3B73B677BC86A7C0C85DAE3F1EB17B32FD4F531C2330099EF641079D434660C656761EF4082E0535659CE0841143C
SHA512 4ED8D6D48435F4EAB2FE3B3A829560F5B85CD4AD7DCEE6E50C48221A7A094E1169D8FA29CA068EC9983D4A4C27A487C6F2986E00D98C91B9D4F8500F3EA5961E
SSDEEP 1536:jAtfiOudE4pcDMKeAjIfgVyEvh3IS6+GJSbkJPKmgGQumre2q6l:Gudc6wVyEhcZ0YJZQuCe2N
IMP FF370845FCA22010F5DEAE452F312F19
PESHA1 7B7A93D4D612BA6707E952A92B1A45609231966C
PE256 E46812A1896CC8E725A81963A5C59817A69E77A9DEB3000B9B7A9D9B12DC3ED4

Runtime Data

Loaded Modules:

Path
C:\Windows\System32\combase.dll
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\System32\msvcrt.dll
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\RPCRT4.dll
C:\Windows\System32\sechost.dll
C:\Windows\System32\shcore.dll
C:\Windows\System32\ucrtbase.dll
C:\Windows\system32\wsqmcons.exe

Signature

  • Status: Signature verified.
  • Serial: 33000002EC6579AD1E670890130000000002EC
  • Thumbprint: F7C2F2C96A328C13CDA8CDB57B715BDEA2CBD1D9
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: wsqmcons.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/73
  • VirusTotal Link: https://www.virustotal.com/gui/file/4d7ff4545dc15ce1dd21a7bc596ad9c58c851e17e296a0323646dbfeff251764/detection

File Similarity (ssdeep match)

File Score
C:\Windows\system32\wsqmcons.exe 38
C:\Windows\system32\wsqmcons.exe 33
C:\WINDOWS\system32\wsqmcons.exe 40
C:\Windows\system32\wsqmcons.exe 35
C:\Windows\system32\wsqmcons.exe 35
C:\Windows\system32\wsqmcons.exe 35
C:\Windows\system32\wsqmcons.exe 40
C:\WINDOWS\system32\wsqmcons.exe 35

Possible Misuse

The following table contains possible examples of wsqmcons.exe being misused. While wsqmcons.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_apt_turla_comrat_may20.yml - '.WSqmCons))\|iex;' DRL 1.0
malware-ioc misp-turla-comrat-v4-event.json "value": "HKLM\\SOFTWARE\\Microsoft\\SQMClient\\Windows.WSqmCons", © ESET 2014-2018
malware-ioc turla * ++HKLM\SOFTWARE\Microsoft\SQMClient\Windows.WSqmCons++``{:.highlight .language-cmhg} © ESET 2014-2018

MIT License. Copyright (c) 2020-2021 Strontic.