wsqmcons.exe

  • File Path: C:\WINDOWS\system32\wsqmcons.exe
  • Description: Windows SQM Consolidator

Hashes

Type Hash
MD5 B9F66A2F757D06AA3BBCDC7B61E9EF4D
SHA1 083FBE4788E1054CA17CF3C36034C92BF901FA95
SHA256 C54275D41A0F0064588282CDCAD216D8C8950C72DF67EDCF621FCCA630064002
SHA384 321B5513BB1B619A89B56B6CD602AF93366E841EAC80D72399CC9DA865C865EB334B50E39000BFBBA976B03BF400691E
SHA512 F1CB9B31A1966A73201479EE5DDB856F14E56CD79FEA9E5657D369BF732DB74B89DBB1A6E0F30023BA0794DCA26059B791B531A5CA7F21DB02C0293C411C376F
SSDEEP 768:+semN6arbnYl6ovknlvMDElQuWnnnPreUVnbO6wGNjX:+seIYlgnlUGQumre2q6/
IMP 60ED12BA50819B682C1C40AF4A7BCBBD
PESHA1 26D3718FBB6D47AE0940A22377421F2DEDEF87C0
PE256 39E03814C677DB1A3604FAF9995745A4551048EED48D1DDCA90C801EB73F11CA

Runtime Data

Loaded Modules:

Path
C:\WINDOWS\System32\KERNEL32.DLL
C:\WINDOWS\System32\KERNELBASE.dll
C:\WINDOWS\System32\msvcrt.dll
C:\WINDOWS\SYSTEM32\ntdll.dll
C:\WINDOWS\system32\wsqmcons.exe

Signature

  • Status: Signature verified.
  • Serial: 33000002ED2C45E4C145CF48440000000002ED
  • Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: wsqmcons.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.22000.1 (WinBuild.160101.0800)
  • Product Version: 10.0.22000.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/73
  • VirusTotal Link: https://www.virustotal.com/gui/file/c54275d41a0f0064588282cdcad216d8c8950c72df67edcf621fcca630064002/detection

File Similarity (ssdeep match)

File Score
C:\Windows\system32\wsqmcons.exe 30
C:\Windows\system32\wsqmcons.exe 30
C:\WINDOWS\system32\wsqmcons.exe 35
C:\Windows\system32\wsqmcons.exe 30
C:\Windows\system32\wsqmcons.exe 33
C:\Windows\system32\wsqmcons.exe 47
C:\Windows\system32\wsqmcons.exe 32
C:\Windows\system32\wsqmcons.exe 35

Possible Misuse

The following table contains possible examples of wsqmcons.exe being misused. While wsqmcons.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_apt_turla_comrat_may20.yml - '.WSqmCons))\|iex;' DRL 1.0
malware-ioc misp-turla-comrat-v4-event.json "value": "HKLM\\SOFTWARE\\Microsoft\\SQMClient\\Windows.WSqmCons", © ESET 2014-2018
malware-ioc turla * ++HKLM\SOFTWARE\Microsoft\SQMClient\Windows.WSqmCons++``{:.highlight .language-cmhg} © ESET 2014-2018

MIT License. Copyright (c) 2020-2021 Strontic.