File name:

KMS_VL_ALL_AIO.exe

Full analysis: https://app.any.run/tasks/030376d8-0082-44eb-afb2-12b7ac27aa02
Verdict: Malicious activity
Analysis date: March 26, 2025, 18:47:58
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
advancedinstaller
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

9065CB66E4232E63AAD8568259506DB6

SHA1:

5F5B88BD5ACD4811F32F884411759FB3FDD358D6

SHA256:

2CE96DD0E86EDBAD2D62AF8CCD66247FCBAA928FFD47EFFF08DB131254CE7E74

SSDEEP:

98304:B35E+vGaiDnXGtwcmoQvoTn0iMu4cSoYvW+1pJxuAoYnkPOYEu4cSZkcL:fvGacofn0BckHJoYnkEc5cL

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • KMS_VL_ALL_AIO.exe (PID: 7532)
      • msiexec.exe (PID: 7600)
      • Active.exe (PID: 8024)

    • Reads the Windows owner or organization settings

      • KMS_VL_ALL_AIO.exe (PID: 7532)

    • ADVANCEDINSTALLER mutex has been found

      • KMS_VL_ALL_AIO.exe (PID: 7532)

    • Executable content was dropped or overwritten

      • KMS_VL_ALL_AIO.exe (PID: 7532)
      • Active.exe (PID: 8024)

    • Starts POWERSHELL.EXE for commands execution

      • Active.exe (PID: 8024)

    • Detects AdvancedInstaller (YARA)

      • msiexec.exe (PID: 7600)
      • KMS_VL_ALL_AIO.exe (PID: 7532)

    • BASE64 encoded PowerShell command has been detected

      • Active.exe (PID: 8024)

    • Starts a Microsoft application from unusual location

      • RegAsm.exe (PID: 1804)

    • There is functionality for taking screenshot (YARA)

      • KMS_VL_ALL_AIO.exe (PID: 7532)

    • Executes as Windows Service

      • VSSVC.exe (PID: 7860)

  • INFO

    • Checks supported languages

      • KMS_VL_ALL_AIO.exe (PID: 7532)
      • msiexec.exe (PID: 7600)
      • msiexec.exe (PID: 7700)
      • Active.exe (PID: 8024)
      • RegAsm.exe (PID: 1804)

    • Creates files or folders in the user directory

      • KMS_VL_ALL_AIO.exe (PID: 7532)

    • Reads the computer name

      • msiexec.exe (PID: 7600)
      • KMS_VL_ALL_AIO.exe (PID: 7532)
      • msiexec.exe (PID: 7700)
      • KMS_VL_ALL_AIO.exe (PID: 6184)

    • Create files in a temporary directory

      • KMS_VL_ALL_AIO.exe (PID: 7532)

    • The sample compiled with english language support

      • KMS_VL_ALL_AIO.exe (PID: 7532)
      • msiexec.exe (PID: 7600)
      • Active.exe (PID: 8024)

    • Reads Environment values

      • KMS_VL_ALL_AIO.exe (PID: 7532)

    • Reads security settings of Internet Explorer

      • BackgroundTransferHost.exe (PID: 7576)
      • BackgroundTransferHost.exe (PID: 2088)
      • BackgroundTransferHost.exe (PID: 5360)

    • Manages system restore points

      • SrTasks.exe (PID: 8152)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 7600)

    • Process checks computer location settings

      • Active.exe (PID: 8024)

    • Starts application with an unusual extension

      • msiexec.exe (PID: 7600)

    • Reads the software policy settings

      • BackgroundTransferHost.exe (PID: 2088)

    • Checks proxy server information

      • BackgroundTransferHost.exe (PID: 2088)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (18)
.exe | Win32 Executable (generic) (2.9)
.exe | Generic Win/DOS Executable (1.3)
.exe | DOS Executable Generic (1.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2021:04:23 07:52:46+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 14.28
CodeSize: 1559040
InitializedDataSize: 908288
UninitializedDataSize: -
EntryPoint: 0x1260c8
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: Debug
FileOS: Win32
ObjectFileType: Dynamic link library
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: KMS_VL_ALL_AIO
FileDescription: KMS_VL_ALL_AIO Installer
FileVersion: 1.0.0
InternalName: KMS_VL_ALL_AIO
LegalCopyright: Copyright (C) 2022 KMS_VL_ALL_AIO
OriginalFileName: KMS_VL_ALL_AIO.exe
ProductName: KMS_VL_ALL_AIO
ProductVersion: 1.0.0
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
157
Monitored processes
23
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start kms_vl_all_aio.exe msiexec.exe msiexec.exe no specs msiexec.exe no specs vssvc.exe no specs backgroundtransferhost.exe no specs backgroundtransferhost.exe backgroundtransferhost.exe no specs backgroundtransferhost.exe no specs backgroundtransferhost.exe no specs srtasks.exe no specs conhost.exe no specs msiexec.exe no specs active.exe powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs slui.exe no specs regasm.exe no specs conhost.exe no specs msia741.tmp no specs kms_vl_all_aio.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1804C:\Users\admin\AppData\Local\Temp\RegAsm.exeC:\Users\admin\AppData\Local\Temp\RegAsm.exeActive.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Assembly Registration Utility
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\users\admin\appdata\local\temp\regasm.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
2088"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1C:\Windows\System32\BackgroundTransferHost.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Download/Upload Host
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\backgroundtransferhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\bcryptprimitives.dll
2568"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1C:\Windows\System32\BackgroundTransferHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Download/Upload Host
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\backgroundtransferhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\bcryptprimitives.dll
4220C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
4880"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1C:\Windows\System32\BackgroundTransferHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Download/Upload Host
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\backgroundtransferhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\bcryptprimitives.dll
5352\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeSrTasks.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5360"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1C:\Windows\System32\BackgroundTransferHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Download/Upload Host
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\backgroundtransferhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\bcryptprimitives.dll
5964"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeActive.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
6184"C:\Program Files (x86)\KMS_VL_ALL_AIO\KMS_VL_ALL_AIO\KMS_VL_ALL_AIO.exe" C:\Program Files (x86)\KMS_VL_ALL_AIO\KMS_VL_ALL_AIO\KMS_VL_ALL_AIO.exeMSIA741.tmp
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\program files (x86)\kms_vl_all_aio\kms_vl_all_aio\kms_vl_all_aio.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.3996_none_d954cb49e10154a6\gdiplus.dll
c:\windows\syswow64\msvcrt.dll
7148\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
13 624
Read events
13 330
Write events
280
Delete events
14

Modification events

(PID) Process:(7600) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
48000000000000005FA4F19E7F9EDB01B01D0000A01E0000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7600) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Enter)
Value:
480000000000000010F5F39E7F9EDB01B01D0000A01E0000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7600) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Leave)
Value:
4800000000000000933938A07F9EDB01B01D0000A01E0000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7600) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppCreate (Enter)
Value:
4800000000000000E2073DA07F9EDB01B01D0000A01E0000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7600) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Leave)
Value:
480000000000000046502CA07F9EDB01B01D0000A01E0000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7600) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Enter)
Value:
480000000000000046502CA07F9EDB01B01D0000A01E0000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7600) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
Operation:writeName:LastIndex
Value:
11
(PID) Process:(7860) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer
Operation:writeName:IDENTIFY (Enter)
Value:
4800000000000000295D56A17F9EDB01B41E0000DC1E0000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7860) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer
Operation:writeName:IDENTIFY (Enter)
Value:
4800000000000000295D56A17F9EDB01B41E0000E01E0000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7860) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer
Operation:writeName:IDENTIFY (Enter)
Value:
4800000000000000295D56A17F9EDB01B41E0000F0010000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000
Executable files
20
Suspicious files
20
Text files
19
Unknown types
0

Dropped files

PID
Process
Filename
Type
7532KMS_VL_ALL_AIO.exeC:\Users\admin\AppData\Local\Temp\AI_EXTUI_BIN_7532\insticonimage
MD5:66C842AF0B4FC1C918F531D2E1087B82
SHA256:48278165490487EE414BE65E20501B19A65EDAF1B6F473EB7D8C55023175EC88
7532KMS_VL_ALL_AIO.exeC:\Users\admin\AppData\Local\Temp\shiC390.tmpexecutable
MD5:84A34BF3486F7B9B7035DB78D78BDD1E
SHA256:F85911C910B660E528D2CF291BAA40A92D09961996D6D84E7A53A7095C7CD96E
7532KMS_VL_ALL_AIO.exeC:\Users\admin\AppData\Local\Temp\AI_EXTUI_BIN_7532\infoimage
MD5:554FF4C199562515D758C9ABFF5C2943
SHA256:9AE4A96BF2A349667E844ACC1E2AC4F89361A6182268438F4D063DF3A6FC47BC
7532KMS_VL_ALL_AIO.exeC:\Users\admin\AppData\Local\Temp\AI_EXTUI_BIN_7532\Upimage
MD5:83730AC00391FB0F02F56FE2E4207A10
SHA256:573E3260EED63604F24F6F10CE5294E25E22FDA9E5BFD9010134DE6E684BAB98
7532KMS_VL_ALL_AIO.exeC:\Users\admin\AppData\Local\Temp\AI_EXTUI_BIN_7532\removicoimage
MD5:20D25E871A244B94574C47726DE745D6
SHA256:88DD7EE9FA22ECDBDC6B3D47DB83BC3D72360AEB43588E6A9A008B224389CB1C
2088BackgroundTransferHost.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\46e46bea-36cc-4d05-9c9e-57e0b79b6112.down_data
MD5:
SHA256:
7532KMS_VL_ALL_AIO.exeC:\Users\admin\AppData\Roaming\KMS_VL_ALL_AIO\KMS_VL_ALL_AIO 1.0.0\install\KMS_VL_ALL_AIO.msiexecutable
MD5:CEC1E6A8D11A085632C32511EDF5C2F2
SHA256:8536D4138DD6003691D90F63B95D34E93145D0AA291EA0DE296D2472BFDF6884
7532KMS_VL_ALL_AIO.exeC:\Users\admin\AppData\Local\Temp\AI_EXTUI_BIN_7532\Newimage
MD5:C23CBF002D82192481B61ED7EC0890F4
SHA256:4F92E804A11453382EBFF7FB0958879BAE88FE3366306911DEC9D811CD306EED
7532KMS_VL_ALL_AIO.exeC:\Users\admin\AppData\Local\Temp\AI_EXTUI_BIN_7532\dialogimage
MD5:553DF955CB4B2E7BE5CEF99CB8EC9254
SHA256:F1FCB09DF932AEF09B24EEA796286CEAEDCBCECCD4D8F4536345163C4D3D9FF7
7532KMS_VL_ALL_AIO.exeC:\Users\admin\AppData\Local\Temp\AI_EXTUI_BIN_7532\repairicimage
MD5:D234CA0358B21BDCFC5E3F9B2E7C7A22
SHA256:99D490C2BDEF5115F306A595964663540370141F65A25C5052352155F2603F68
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
33
DNS requests
16
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
23.48.23.148:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2088
BackgroundTransferHost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
7788
backgroundTaskHost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
8012
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
8012
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5496
MoUsoCoreWorker.exe
23.48.23.148:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2656
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
3216
svchost.exe
20.197.71.89:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
SG
whitelisted
6544
svchost.exe
20.190.159.4:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
7788
backgroundTaskHost.exe
20.223.36.55:443
arc.msn.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.184.206
whitelisted
crl.microsoft.com
  • 23.48.23.148
  • 23.48.23.145
  • 23.48.23.177
  • 23.48.23.176
  • 23.48.23.157
  • 23.48.23.169
  • 23.48.23.144
  • 23.48.23.167
  • 23.48.23.170
whitelisted
client.wns.windows.com
  • 20.197.71.89
whitelisted
login.live.com
  • 20.190.159.4
  • 40.126.31.2
  • 20.190.159.130
  • 40.126.31.0
  • 20.190.159.75
  • 20.190.159.131
  • 40.126.31.128
  • 20.190.159.129
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
arc.msn.com
  • 20.223.36.55
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
www.bing.com
  • 92.123.104.21
  • 92.123.104.22
  • 92.123.104.25
  • 92.123.104.20
  • 92.123.104.17
  • 92.123.104.14
  • 92.123.104.26
  • 92.123.104.10
  • 92.123.104.11
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
KMS_VL_ALL_AIO.exe