File name:

KMS_VL_ALL_AIO.cmd

Full analysis: https://app.any.run/tasks/1e96e3ad-468f-4743-b6b1-d7616acf64ff
Verdict: Malicious activity
Analysis date: March 21, 2024, 11:45:59
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: text/plain
File info: exported SGML document, ASCII text, with CRLF line terminators
MD5:

B7704F8278FF47C8E3CBCBC05C0F584E

SHA1:

38E74790E64A034FF2D1AFCF2017E5CD640CEA3C

SHA256:

69F3684EB086EB71D86869CDDA94BA2E58BA5B5BE0803A3572891ED532CCE94C

SSDEEP:

6144:bcJDJzLuHpIvzGDNS8xFfKR5pw9rIjEUqbj8Hm6p/fH:4JDJzApIqxFyR5pmUjE/j8G2/f

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Creates a writable file in the system directory

      • powershell.exe (PID: 2268)

    • Drops the executable file immediately after the start

      • csc.exe (PID: 3084)
      • powershell.exe (PID: 2268)

    • Starts Visual C# compiler

      • powershell.exe (PID: 2268)

    • Starts NET.EXE for service management

      • net.exe (PID: 3472)
      • net.exe (PID: 2644)
      • net.exe (PID: 3024)
      • net.exe (PID: 2320)
      • cmd.exe (PID: 3980)
      • net.exe (PID: 1036)

  • SUSPICIOUS

    • Uses WMIC.EXE to obtain computer system information

      • cmd.exe (PID: 1496)
      • cmd.exe (PID: 3980)

    • Reads the Internet Settings

      • wscript.exe (PID: 4004)
      • cscript.exe (PID: 1368)
      • WMIC.exe (PID: 848)
      • WMIC.exe (PID: 2668)
      • WMIC.exe (PID: 1780)
      • WMIC.exe (PID: 3036)
      • WMIC.exe (PID: 2596)
      • WMIC.exe (PID: 1336)
      • WMIC.exe (PID: 3224)
      • WMIC.exe (PID: 764)
      • WMIC.exe (PID: 2324)
      • WMIC.exe (PID: 2432)
      • WMIC.exe (PID: 2632)
      • WMIC.exe (PID: 2064)
      • WMIC.exe (PID: 1368)
      • WMIC.exe (PID: 552)
      • WMIC.exe (PID: 2792)
      • WMIC.exe (PID: 268)
      • WMIC.exe (PID: 1316)
      • WMIC.exe (PID: 764)
      • WMIC.exe (PID: 3828)
      • WMIC.exe (PID: 2324)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 1496)
      • cmd.exe (PID: 3980)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 1496)
      • cmd.exe (PID: 3980)

    • Runs shell command (SCRIPT)

      • cscript.exe (PID: 1368)

    • Uses RUNDLL32.EXE to load library

      • cscript.exe (PID: 1368)

    • Executing commands from ".cmd" file

      • cscript.exe (PID: 1368)

    • Starts CMD.EXE for commands execution

      • cscript.exe (PID: 1368)
      • cmd.exe (PID: 3980)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 3980)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 3980)
      • cmd.exe (PID: 2040)
      • cmd.exe (PID: 3636)

    • Application launched itself

      • cmd.exe (PID: 3980)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 3980)

    • Hides command output

      • cmd.exe (PID: 2580)
      • cmd.exe (PID: 1928)
      • cmd.exe (PID: 2432)
      • cmd.exe (PID: 1572)
      • cmd.exe (PID: 1236)
      • cmd.exe (PID: 3684)
      • cmd.exe (PID: 2644)

    • Probably obfuscated PowerShell command line is found

      • cmd.exe (PID: 3980)

    • Uses .NET C# to load dll

      • powershell.exe (PID: 2268)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 2268)
      • csc.exe (PID: 3084)

    • Possibly malicious use of IEX has been detected

      • cmd.exe (PID: 3980)

    • Uses WMIC.EXE to obtain Windows Installer data

      • cmd.exe (PID: 3980)
      • cmd.exe (PID: 840)
      • cmd.exe (PID: 2808)
      • cmd.exe (PID: 3224)
      • cmd.exe (PID: 2560)
      • cmd.exe (PID: 3636)
      • cmd.exe (PID: 2040)

    • Uses WMIC.EXE to obtain service application data

      • cmd.exe (PID: 2488)

  • INFO

    • Manual execution by a user

      • cmd.exe (PID: 1496)
      • wscript.exe (PID: 4004)

    • Reads security settings of Internet Explorer

      • cscript.exe (PID: 1368)

    • Checks operating system version

      • cmd.exe (PID: 3980)

    • Checks supported languages

      • mode.com (PID: 784)
      • mode.com (PID: 4064)
      • csc.exe (PID: 3084)
      • cvtres.exe (PID: 2556)
      • mode.com (PID: 3644)
      • mode.com (PID: 3708)
      • mode.com (PID: 2964)
      • mode.com (PID: 3996)
      • mode.com (PID: 2984)

    • Reads Microsoft Office registry keys

      • reg.exe (PID: 2232)
      • reg.exe (PID: 4000)
      • reg.exe (PID: 2960)

    • Reads the machine GUID from the registry

      • csc.exe (PID: 3084)
      • cvtres.exe (PID: 2556)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.wsf | Windows Script File (72.7)
.html | HyperText Markup Language (27.2)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
291
Monitored processes
242
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start cmd.exe no specs wscript.exe no specs cmd.exe no specs reg.exe no specs find.exe no specs wmic.exe no specs find.exe no specs powershell.exe no specs find.exe no specs reg.exe no specs cscript.exe no specs rundll32.exe no specs cmd.exe reg.exe no specs find.exe no specs wmic.exe no specs find.exe no specs powershell.exe no specs find.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs find.exe no specs find.exe no specs reg.exe no specs cmd.exe no specs sc.exe no specs cmd.exe no specs mode.com no specs reg.exe no specs find.exe no specs cmd.exe no specs findstr.exe no specs findstr.exe no specs choice.exe no specs mode.com no specs powershell.exe no specs find.exe no specs sc.exe no specs sc.exe no specs find.exe no specs sc.exe no specs find.exe no specs sc.exe no specs find.exe no specs powershell.exe csc.exe cvtres.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs powershell.exe no specs sc.exe no specs find.exe no specs sc.exe no specs find.exe no specs sc.exe no specs find.exe no specs sc.exe no specs find.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs wmic.exe no specs findstr.exe no specs cmd.exe no specs wmic.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs wmic.exe no specs wmic.exe no specs findstr.exe no specs wmic.exe no specs findstr.exe no specs findstr.exe no specs wmic.exe no specs wmic.exe no specs findstr.exe no specs cmd.exe no specs wmic.exe no specs reg.exe no specs reg.exe no specs net.exe no specs net1.exe no specs wmic.exe no specs find.exe no specs find.exe no specs find.exe no specs find.exe no specs find.exe no specs wmic.exe no specs find.exe no specs find.exe no specs find.exe no specs find.exe no specs find.exe no specs find.exe no specs find.exe no specs find.exe no specs wmic.exe no specs findstr.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs find.exe no specs net.exe no specs net1.exe no specs sc.exe no specs find.exe no specs sc.exe no specs find.exe no specs net.exe no specs net1.exe no specs sc.exe no specs find.exe no specs sc.exe no specs mode.com no specs reg.exe no specs find.exe no specs reg.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs choice.exe no specs mode.com no specs reg.exe no specs find.exe no specs reg.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs choice.exe no specs mode.com no specs reg.exe no specs find.exe no specs reg.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs choice.exe no specs mode.com no specs powershell.exe no specs sc.exe no specs net.exe no specs net1.exe no specs wmic.exe no specs findstr.exe no specs net.exe no specs net1.exe no specs wmic.exe no specs findstr.exe no specs wmic.exe no specs findstr.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs findstr.exe no specs findstr.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs findstr.exe no specs wmic.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs mode.com no specs find.exe no specs reg.exe no specs reg.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs choice.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
116reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
124find /i "0x0" C:\Windows\System32\find.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Find String (grep) Utility
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\find.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
240powershell -nop -c $ExecutionContext.SessionState.LanguageMode C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
268wmic path OfficeSoftwareProtectionProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663' AND NOT Name like '%O365%' ) get Name /value C:\Windows\System32\wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
324find /i "STOPPED" C:\Windows\System32\find.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Find String (grep) Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\find.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
392reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe" /f /v KMS_RenewalInterval /t REG_DWORD /d 10080 C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
532find /i "STOPPED" C:\Windows\System32\find.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Find String (grep) Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\find.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
552reg query "HKCU\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
552wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and LicenseStatus='1' ) get Name /valueC:\Windows\System32\wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
584sc query sppsvc C:\Windows\System32\sc.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
A tool to aid in developing services for WindowsNT
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
Total events
21 196
Read events
21 155
Write events
39
Delete events
2

Modification events

(PID) Process:(1368) cscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(1368) cscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(1368) cscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(1368) cscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3016) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe
Operation:writeName:VerifierDlls
Value:
SppExtComObjHook.dll
(PID) Process:(1932) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe
Operation:writeName:VerifierDebug
Value:
0
(PID) Process:(3048) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe
Operation:writeName:VerifierFlags
Value:
(PID) Process:(3440) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe
Operation:writeName:GlobalFlag
Value:
256
(PID) Process:(908) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe
Operation:writeName:KMS_Emulation
Value:
1
(PID) Process:(3416) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe
Operation:writeName:KMS_ActivationInterval
Value:
120
Executable files
2
Suspicious files
14
Text files
4
Unknown types
4

Dropped files

PID
Process
Filename
Type
2268powershell.exeC:\Windows\Temp\rbchu4ax.bqm.ps1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
3192powershell.exeC:\Users\admin\AppData\Local\Temp\xc2cqwon.w1f.psm1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
2268powershell.exeC:\Windows\Temp\cuvv0kgy\cuvv0kgy.0.cstext
MD5:EAFBB318108FC62A15B458EBBA405940
SHA256:45EE3DD57AA47FCF92C09A44276DE5EF1688BB0563E09206D8E882528E6DE9D2
3084csc.exeC:\Windows\Temp\cuvv0kgy\CSC4E50063061AB4B56ADDB1BA62BF9CAE7.TMPbinary
MD5:E2E6DDE85AAEA4736D9F1DA750F6C06B
SHA256:4E4967400D308D29D8B3EC8E83D896C11248256A1EA8E2D99125E1D7447C3A67
240powershell.exeC:\Users\admin\AppData\Local\Temp\vixxjkqa.ynu.psm1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
3980cmd.exeC:\Windows\Temp\`.txtbinary
MD5:FFE40BE0916C7302AE237FEEBE53CF4B
SHA256:6EF78A8EF8E0752565DCC75E10DB254A573A51EAA183F0BFF99494E62F0B57C6
2268powershell.exeC:\Windows\Temp\cuvv0kgy\cuvv0kgy.cmdlinetext
MD5:ADF8050EC82B77D426677EFFEC5C6899
SHA256:926DE4CD7741DFE902947FA5B4960FC6EF6793B1C74A04DAB1ACE640CBAAAAD8
3192powershell.exeC:\Users\admin\AppData\Local\Temp\5j0ye53m.h1l.ps1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
2356powershell.exeC:\Users\admin\AppData\Local\Temp\13iqhycg.opy.ps1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
3084csc.exeC:\Windows\Temp\cuvv0kgy\cuvv0kgy.dllexecutable
MD5:47CCE43F08C02E3BA52EDD4B3D8962B1
SHA256:B5FF9878626C412CF4CF04A5A5C206A7EB546033A86B498B456C430BC04AB6B0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
2
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
unknown
4
System
192.168.100.255:138
whitelisted

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
KMS_VL_ALL_AIO.cmd