Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
7Static
static
1!!BEST TWE...he.exe
windows7-x64
1!!BEST TWE...he.exe
windows10-2004-x64
1!!BEST TWE...ng.bat
windows7-x64
1!!BEST TWE...ng.bat
windows10-2004-x64
1!!BEST TWE...SE.bat
windows7-x64
1!!BEST TWE...SE.bat
windows10-2004-x64
1!!BEST TWE...me.lnk
windows7-x64
3!!BEST TWE...me.lnk
windows10-2004-x64
7!!BEST TWE...rs.url
windows7-x64
1!!BEST TWE...rs.url
windows10-2004-x64
1!!BEST TWE...rs.url
windows7-x64
1!!BEST TWE...rs.url
windows10-2004-x64
1!!BEST TWE...rs.url
windows7-x64
1!!BEST TWE...rs.url
windows10-2004-x64
1!!BEST TWE...Us.cmd
windows7-x64
1!!BEST TWE...Us.cmd
windows10-2004-x64
4!!BEST TWE...ll.lnk
windows7-x64
3!!BEST TWE...ll.lnk
windows10-2004-x64
7!!BEST TWE...ps.lnk
windows7-x64
3!!BEST TWE...ps.lnk
windows10-2004-x64
3!!BEST TWE...er.ps1
windows7-x64
3!!BEST TWE...er.ps1
windows10-2004-x64
3!!BEST TWE...er.ps1
windows7-x64
3!!BEST TWE...er.ps1
windows10-2004-x64
3!!BEST TWE...ck.ps1
windows7-x64
3!!BEST TWE...ck.ps1
windows10-2004-x64
3!!BEST TWE...ts.ps1
windows7-x64
3!!BEST TWE...ts.ps1
windows10-2004-x64
3!!BEST TWE...or.ps1
windows7-x64
3!!BEST TWE...or.ps1
windows10-2004-x64
3!!BEST TWE...il.ps1
windows7-x64
3!!BEST TWE...il.ps1
windows10-2004-x64
3Analysis
-
max time kernel
121s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
01/07/2024, 01:29
Static task
static1
Behavioral task
behavioral1
Sample
!!BEST TWEAKS/PC Cleanup/Clear Memory Cache.exe
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral2
Sample
!!BEST TWEAKS/PC Cleanup/Clear Memory Cache.exe
Resource
win10v2004-20240611-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
!!BEST TWEAKS/Registry _ Batch/Disable USB Powersaving.bat
Resource
win7-20240611-en
windows7-x64
Behavioral task
behavioral4
Sample
!!BEST TWEAKS/Registry _ Batch/Disable USB Powersaving.bat
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
!!BEST TWEAKS/Registry _ Batch/EnableFSE.bat
Resource
win7-20240611-en
windows7-x64
Behavioral task
behavioral6
Sample
!!BEST TWEAKS/Registry _ Batch/EnableFSE.bat
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
!!BEST TWEAKS/Windows Post-Installation Pack/# Get Network Drivers/# Get Network Adapter Name.lnk
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral8
Sample
!!BEST TWEAKS/Windows Post-Installation Pack/# Get Network Drivers/# Get Network Adapter Name.lnk
Resource
win10v2004-20240611-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
!!BEST TWEAKS/Windows Post-Installation Pack/# Get Network Drivers/Intel Ethernet Drivers.url
Resource
win7-20240419-en
windows7-x64
Behavioral task
behavioral10
Sample
!!BEST TWEAKS/Windows Post-Installation Pack/# Get Network Drivers/Intel Ethernet Drivers.url
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
!!BEST TWEAKS/Windows Post-Installation Pack/# Get Network Drivers/Intel Wifi Drivers.url
Resource
win7-20240611-en
windows7-x64
Behavioral task
behavioral12
Sample
!!BEST TWEAKS/Windows Post-Installation Pack/# Get Network Drivers/Intel Wifi Drivers.url
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
!!BEST TWEAKS/Windows Post-Installation Pack/# Get Network Drivers/Realtek Ethernet Drivers.url
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral14
Sample
!!BEST TWEAKS/Windows Post-Installation Pack/# Get Network Drivers/Realtek Ethernet Drivers.url
Resource
win10v2004-20240611-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
!!BEST TWEAKS/Windows Post-Installation Pack/1 Disable WUs/2 Disable WUs.cmd
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral16
Sample
!!BEST TWEAKS/Windows Post-Installation Pack/1 Disable WUs/2 Disable WUs.cmd
Resource
win10v2004-20240611-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
!!BEST TWEAKS/Windows Post-Installation Pack/2 Debloat Windows/Safe Method/# Revert/PowerShell.lnk
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral18
Sample
!!BEST TWEAKS/Windows Post-Installation Pack/2 Debloat Windows/Safe Method/# Revert/PowerShell.lnk
Resource
win10v2004-20240611-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
!!BEST TWEAKS/Windows Post-Installation Pack/2 Debloat Windows/Safe Method/# Uninstall Apps.lnk
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral20
Sample
!!BEST TWEAKS/Windows Post-Installation Pack/2 Debloat Windows/Safe Method/# Uninstall Apps.lnk
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
!!BEST TWEAKS/Windows Post-Installation Pack/2 Debloat Windows/Safe Method/Uninstall 3D Builder.ps1
Resource
win7-20240220-en
windows7-x64
Behavioral task
behavioral22
Sample
!!BEST TWEAKS/Windows Post-Installation Pack/2 Debloat Windows/Safe Method/Uninstall 3D Builder.ps1
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
!!BEST TWEAKS/Windows Post-Installation Pack/2 Debloat Windows/Safe Method/Uninstall 3D Viewer - Mixed Reality Viewer.ps1
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral24
Sample
!!BEST TWEAKS/Windows Post-Installation Pack/2 Debloat Windows/Safe Method/Uninstall 3D Viewer - Mixed Reality Viewer.ps1
Resource
win10v2004-20240611-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
!!BEST TWEAKS/Windows Post-Installation Pack/2 Debloat Windows/Safe Method/Uninstall Alarms and Clock.ps1
Resource
win7-20240611-en
windows7-x64
Behavioral task
behavioral26
Sample
!!BEST TWEAKS/Windows Post-Installation Pack/2 Debloat Windows/Safe Method/Uninstall Alarms and Clock.ps1
Resource
win10v2004-20240611-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
!!BEST TWEAKS/Windows Post-Installation Pack/2 Debloat Windows/Safe Method/Uninstall Bing Sports.ps1
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral28
Sample
!!BEST TWEAKS/Windows Post-Installation Pack/2 Debloat Windows/Safe Method/Uninstall Bing Sports.ps1
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
!!BEST TWEAKS/Windows Post-Installation Pack/2 Debloat Windows/Safe Method/Uninstall Calculator.ps1
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral30
Sample
!!BEST TWEAKS/Windows Post-Installation Pack/2 Debloat Windows/Safe Method/Uninstall Calculator.ps1
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
!!BEST TWEAKS/Windows Post-Installation Pack/2 Debloat Windows/Safe Method/Uninstall Calendar and Mail.ps1
Resource
win7-20240611-en
windows7-x64
Behavioral task
behavioral32
Sample
!!BEST TWEAKS/Windows Post-Installation Pack/2 Debloat Windows/Safe Method/Uninstall Calendar and Mail.ps1
Resource
win10v2004-20240611-en
windows10-2004-x64
General
-
Target
!!BEST TWEAKS/Windows Post-Installation Pack/1 Disable WUs/2 Disable WUs.cmd
-
Size
763B
-
MD5
4d7ad463f41e3489cfa8ec4327a67166
-
SHA1
b6424856de31b9bf49b2f354186e7f8598802b3b
-
SHA256
35e2e4cfae6c8e936cef2b3cf2ce179687eef3ad89e8746e81cc228b5588a090
-
SHA512
01bcc635644cfaf1f8673098b301e0d25e9adabb1b5c3b448041f1edf5bf43c82e2286c992079407916a875d5a9d1c1f152779883e456626a3940d20aec173d6
Malware Config
Signatures
-
Kills process with taskkill 1 IoCs
pid Process 352 taskkill.exe -
Runs net.exe
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 352 taskkill.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 2212 wrote to memory of 352 2212 cmd.exe 29 PID 2212 wrote to memory of 352 2212 cmd.exe 29 PID 2212 wrote to memory of 352 2212 cmd.exe 29 PID 2212 wrote to memory of 2996 2212 cmd.exe 31 PID 2212 wrote to memory of 2996 2212 cmd.exe 31 PID 2212 wrote to memory of 2996 2212 cmd.exe 31 PID 2996 wrote to memory of 2584 2996 net.exe 32 PID 2996 wrote to memory of 2584 2996 net.exe 32 PID 2996 wrote to memory of 2584 2996 net.exe 32 PID 2212 wrote to memory of 2132 2212 cmd.exe 33 PID 2212 wrote to memory of 2132 2212 cmd.exe 33 PID 2212 wrote to memory of 2132 2212 cmd.exe 33 PID 2132 wrote to memory of 3052 2132 net.exe 34 PID 2132 wrote to memory of 3052 2132 net.exe 34 PID 2132 wrote to memory of 3052 2132 net.exe 34 PID 2212 wrote to memory of 2436 2212 cmd.exe 35 PID 2212 wrote to memory of 2436 2212 cmd.exe 35 PID 2212 wrote to memory of 2436 2212 cmd.exe 35 PID 2212 wrote to memory of 2620 2212 cmd.exe 36 PID 2212 wrote to memory of 2620 2212 cmd.exe 36 PID 2212 wrote to memory of 2620 2212 cmd.exe 36 PID 2212 wrote to memory of 2648 2212 cmd.exe 37 PID 2212 wrote to memory of 2648 2212 cmd.exe 37 PID 2212 wrote to memory of 2648 2212 cmd.exe 37 PID 2212 wrote to memory of 2688 2212 cmd.exe 38 PID 2212 wrote to memory of 2688 2212 cmd.exe 38 PID 2212 wrote to memory of 2688 2212 cmd.exe 38 PID 2212 wrote to memory of 2700 2212 cmd.exe 39 PID 2212 wrote to memory of 2700 2212 cmd.exe 39 PID 2212 wrote to memory of 2700 2212 cmd.exe 39 PID 2212 wrote to memory of 2608 2212 cmd.exe 40 PID 2212 wrote to memory of 2608 2212 cmd.exe 40 PID 2212 wrote to memory of 2608 2212 cmd.exe 40 PID 2608 wrote to memory of 2704 2608 net.exe 41 PID 2608 wrote to memory of 2704 2608 net.exe 41 PID 2608 wrote to memory of 2704 2608 net.exe 41 PID 2212 wrote to memory of 2736 2212 cmd.exe 42 PID 2212 wrote to memory of 2736 2212 cmd.exe 42 PID 2212 wrote to memory of 2736 2212 cmd.exe 42 PID 2736 wrote to memory of 2088 2736 net.exe 43 PID 2736 wrote to memory of 2088 2736 net.exe 43 PID 2736 wrote to memory of 2088 2736 net.exe 43
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\!!BEST TWEAKS\Windows Post-Installation Pack\1 Disable WUs\2 Disable WUs.cmd"1⤵
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\system32\taskkill.exetaskkill /F /FI "IMAGENAME eq SystemSettings.exe"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:352
-
-
C:\Windows\system32\net.exenet stop wuauserv2⤵
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop wuauserv3⤵PID:2584
-
-
-
C:\Windows\system32\net.exenet stop UsoSvc2⤵
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop UsoSvc3⤵PID:3052
-
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DoNotConnectToWindowsUpdateInternetLocations" /t REG_DWORD /d "1" /f2⤵PID:2436
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "SetDisableUXWUAccess" /t REG_DWORD /d "1" /f2⤵PID:2620
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoUpdate" /t REG_DWORD /d "1" /f2⤵PID:2648
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "ExcludeWUDriversInQualityUpdate" /t REG_DWORD /d "1" /f2⤵PID:2688
-
-
C:\Windows\system32\gpupdate.exegpupdate /force2⤵PID:2700
-
-
C:\Windows\system32\net.exenet start wuauserv2⤵
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start wuauserv3⤵PID:2704
-
-
-
C:\Windows\system32\net.exenet start UsoSvc2⤵
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start UsoSvc3⤵PID:2088
-
-