File name:

qms_lib.exe

Full analysis: https://app.any.run/tasks/7adf4615-9b46-4515-b226-829f2c01b8d4
Verdict: Malicious activity
Analysis date: June 12, 2025, 01:32:11
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
rust
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (console) x86-64, for MS Windows, 5 sections
MD5:

A88D5DAF9A60B7B867A6794E0BAA5AD3

SHA1:

B8FCCB07656D845379C6CDF04DAED7E053D445CD

SHA256:

9AFAD7509A0AFB324A1FB89C697E21E72F5C709CD15345940CC635566019E5C5

SSDEEP:

98304:XOBuRJLEXc3mkbQtuUh3vS9c+arOA7qGRplv9m:

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Connects to unusual port

      • qms_lib.exe (PID: 2696)

  • INFO

    • Checks supported languages

      • qms_lib.exe (PID: 2696)

    • Checks proxy server information

      • qms_lib.exe (PID: 2696)

    • Reads the computer name

      • qms_lib.exe (PID: 2696)

    • Application based on Rust

      • qms_lib.exe (PID: 2696)

    • Reads the software policy settings

      • qms_lib.exe (PID: 2696)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:06:05 20:03:34+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.4
CodeSize: 3710976
InitializedDataSize: 1402880
UninitializedDataSize: -
EntryPoint: 0x367dbc
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows command line
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
138
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start qms_lib.exe conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2696"C:\qms_lib.exe" C:\qms_lib.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\qms_lib.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
3092\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeqms_lib.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
8 517
Read events
8 517
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
150
DNS requests
25
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5012
svchost.exe
GET
200
23.54.109.203:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
1268
svchost.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5556
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
5556
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5944
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
6404
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2696
qms_lib.exe
87.226.249.205:443
qms.ru
Rostelecom
RU
unknown
2696
qms_lib.exe
89.109.237.155:20000
dolgoprudny.qms.ru
Rostelecom
RU
unknown
2696
qms_lib.exe
62.148.152.75:20000
kaluga.qms.ru
38, Teatralnaya st.
RU
unknown
2696
qms_lib.exe
212.12.2.243:20000
tula.qms.ru
Rostelecom
RU
unknown
2696
qms_lib.exe
188.128.111.10:20000
ryazan.qms.ru
Rostelecom
RU
unknown
2696
qms_lib.exe
81.20.103.171:20000
ivanovo.qms.ru
Rostelecom
RU
unknown

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.142
whitelisted
qms.ru
  • 87.226.249.205
unknown
dolgoprudny.qms.ru
  • 89.109.237.155
unknown
moscow.qms.ru
  • 90.154.108.238
unknown
kaluga.qms.ru
  • 62.148.152.75
unknown
tula.qms.ru
  • 212.12.2.243
unknown
vladimir.qms.ru
  • 84.53.192.179
unknown
ryazan.qms.ru
  • 188.128.111.10
unknown
orel.qms.ru
  • 95.107.48.123
unknown
ivanovo.qms.ru
  • 81.20.103.171
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
qms_lib.exe