Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
7Static
static
1!!BEST TWE...he.exe
windows7-x64
1!!BEST TWE...he.exe
windows10-2004-x64
1!!BEST TWE...ng.bat
windows7-x64
1!!BEST TWE...ng.bat
windows10-2004-x64
1!!BEST TWE...SE.bat
windows7-x64
1!!BEST TWE...SE.bat
windows10-2004-x64
1!!BEST TWE...me.lnk
windows7-x64
3!!BEST TWE...me.lnk
windows10-2004-x64
7!!BEST TWE...rs.url
windows7-x64
1!!BEST TWE...rs.url
windows10-2004-x64
1!!BEST TWE...rs.url
windows7-x64
1!!BEST TWE...rs.url
windows10-2004-x64
1!!BEST TWE...rs.url
windows7-x64
1!!BEST TWE...rs.url
windows10-2004-x64
1!!BEST TWE...Us.cmd
windows7-x64
1!!BEST TWE...Us.cmd
windows10-2004-x64
4!!BEST TWE...ll.lnk
windows7-x64
3!!BEST TWE...ll.lnk
windows10-2004-x64
7!!BEST TWE...ps.lnk
windows7-x64
3!!BEST TWE...ps.lnk
windows10-2004-x64
3!!BEST TWE...er.ps1
windows7-x64
3!!BEST TWE...er.ps1
windows10-2004-x64
3!!BEST TWE...er.ps1
windows7-x64
3!!BEST TWE...er.ps1
windows10-2004-x64
3!!BEST TWE...ck.ps1
windows7-x64
3!!BEST TWE...ck.ps1
windows10-2004-x64
3!!BEST TWE...ts.ps1
windows7-x64
3!!BEST TWE...ts.ps1
windows10-2004-x64
3!!BEST TWE...or.ps1
windows7-x64
3!!BEST TWE...or.ps1
windows10-2004-x64
3!!BEST TWE...il.ps1
windows7-x64
3!!BEST TWE...il.ps1
windows10-2004-x64
3Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
01/07/2024, 01:29
Static task
static1
Behavioral task
behavioral1
Sample
!!BEST TWEAKS/PC Cleanup/Clear Memory Cache.exe
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral2
Sample
!!BEST TWEAKS/PC Cleanup/Clear Memory Cache.exe
Resource
win10v2004-20240611-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
!!BEST TWEAKS/Registry _ Batch/Disable USB Powersaving.bat
Resource
win7-20240611-en
windows7-x64
Behavioral task
behavioral4
Sample
!!BEST TWEAKS/Registry _ Batch/Disable USB Powersaving.bat
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
!!BEST TWEAKS/Registry _ Batch/EnableFSE.bat
Resource
win7-20240611-en
windows7-x64
Behavioral task
behavioral6
Sample
!!BEST TWEAKS/Registry _ Batch/EnableFSE.bat
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
!!BEST TWEAKS/Windows Post-Installation Pack/# Get Network Drivers/# Get Network Adapter Name.lnk
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral8
Sample
!!BEST TWEAKS/Windows Post-Installation Pack/# Get Network Drivers/# Get Network Adapter Name.lnk
Resource
win10v2004-20240611-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
!!BEST TWEAKS/Windows Post-Installation Pack/# Get Network Drivers/Intel Ethernet Drivers.url
Resource
win7-20240419-en
windows7-x64
Behavioral task
behavioral10
Sample
!!BEST TWEAKS/Windows Post-Installation Pack/# Get Network Drivers/Intel Ethernet Drivers.url
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
!!BEST TWEAKS/Windows Post-Installation Pack/# Get Network Drivers/Intel Wifi Drivers.url
Resource
win7-20240611-en
windows7-x64
Behavioral task
behavioral12
Sample
!!BEST TWEAKS/Windows Post-Installation Pack/# Get Network Drivers/Intel Wifi Drivers.url
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
!!BEST TWEAKS/Windows Post-Installation Pack/# Get Network Drivers/Realtek Ethernet Drivers.url
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral14
Sample
!!BEST TWEAKS/Windows Post-Installation Pack/# Get Network Drivers/Realtek Ethernet Drivers.url
Resource
win10v2004-20240611-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
!!BEST TWEAKS/Windows Post-Installation Pack/1 Disable WUs/2 Disable WUs.cmd
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral16
Sample
!!BEST TWEAKS/Windows Post-Installation Pack/1 Disable WUs/2 Disable WUs.cmd
Resource
win10v2004-20240611-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
!!BEST TWEAKS/Windows Post-Installation Pack/2 Debloat Windows/Safe Method/# Revert/PowerShell.lnk
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral18
Sample
!!BEST TWEAKS/Windows Post-Installation Pack/2 Debloat Windows/Safe Method/# Revert/PowerShell.lnk
Resource
win10v2004-20240611-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
!!BEST TWEAKS/Windows Post-Installation Pack/2 Debloat Windows/Safe Method/# Uninstall Apps.lnk
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral20
Sample
!!BEST TWEAKS/Windows Post-Installation Pack/2 Debloat Windows/Safe Method/# Uninstall Apps.lnk
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
!!BEST TWEAKS/Windows Post-Installation Pack/2 Debloat Windows/Safe Method/Uninstall 3D Builder.ps1
Resource
win7-20240220-en
windows7-x64
Behavioral task
behavioral22
Sample
!!BEST TWEAKS/Windows Post-Installation Pack/2 Debloat Windows/Safe Method/Uninstall 3D Builder.ps1
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
!!BEST TWEAKS/Windows Post-Installation Pack/2 Debloat Windows/Safe Method/Uninstall 3D Viewer - Mixed Reality Viewer.ps1
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral24
Sample
!!BEST TWEAKS/Windows Post-Installation Pack/2 Debloat Windows/Safe Method/Uninstall 3D Viewer - Mixed Reality Viewer.ps1
Resource
win10v2004-20240611-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
!!BEST TWEAKS/Windows Post-Installation Pack/2 Debloat Windows/Safe Method/Uninstall Alarms and Clock.ps1
Resource
win7-20240611-en
windows7-x64
Behavioral task
behavioral26
Sample
!!BEST TWEAKS/Windows Post-Installation Pack/2 Debloat Windows/Safe Method/Uninstall Alarms and Clock.ps1
Resource
win10v2004-20240611-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
!!BEST TWEAKS/Windows Post-Installation Pack/2 Debloat Windows/Safe Method/Uninstall Bing Sports.ps1
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral28
Sample
!!BEST TWEAKS/Windows Post-Installation Pack/2 Debloat Windows/Safe Method/Uninstall Bing Sports.ps1
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
!!BEST TWEAKS/Windows Post-Installation Pack/2 Debloat Windows/Safe Method/Uninstall Calculator.ps1
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral30
Sample
!!BEST TWEAKS/Windows Post-Installation Pack/2 Debloat Windows/Safe Method/Uninstall Calculator.ps1
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
!!BEST TWEAKS/Windows Post-Installation Pack/2 Debloat Windows/Safe Method/Uninstall Calendar and Mail.ps1
Resource
win7-20240611-en
windows7-x64
Behavioral task
behavioral32
Sample
!!BEST TWEAKS/Windows Post-Installation Pack/2 Debloat Windows/Safe Method/Uninstall Calendar and Mail.ps1
Resource
win10v2004-20240611-en
windows10-2004-x64
General
-
Target
!!BEST TWEAKS/Windows Post-Installation Pack/1 Disable WUs/2 Disable WUs.cmd
-
Size
763B
-
MD5
4d7ad463f41e3489cfa8ec4327a67166
-
SHA1
b6424856de31b9bf49b2f354186e7f8598802b3b
-
SHA256
35e2e4cfae6c8e936cef2b3cf2ce179687eef3ad89e8746e81cc228b5588a090
-
SHA512
01bcc635644cfaf1f8673098b301e0d25e9adabb1b5c3b448041f1edf5bf43c82e2286c992079407916a875d5a9d1c1f152779883e456626a3940d20aec173d6
Malware Config
Signatures
-
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SoftwareDistribution\DATAST~1\DATAST~1.EDB cmd.exe File opened for modification C:\Windows\SoftwareDistribution\DATAST~1\DATAST~1.JFM cmd.exe File opened for modification C:\Windows\SoftwareDistribution\DATAST~1\Logs\edb.log cmd.exe File opened for modification C:\Windows\SoftwareDistribution\REPORT~1.LOG cmd.exe -
Kills process with taskkill 1 IoCs
pid Process 4500 taskkill.exe -
Runs net.exe
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4500 taskkill.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2016 wrote to memory of 4500 2016 cmd.exe 83 PID 2016 wrote to memory of 4500 2016 cmd.exe 83 PID 2016 wrote to memory of 64 2016 cmd.exe 85 PID 2016 wrote to memory of 64 2016 cmd.exe 85 PID 64 wrote to memory of 3140 64 net.exe 86 PID 64 wrote to memory of 3140 64 net.exe 86 PID 2016 wrote to memory of 1500 2016 cmd.exe 87 PID 2016 wrote to memory of 1500 2016 cmd.exe 87 PID 1500 wrote to memory of 4868 1500 net.exe 88 PID 1500 wrote to memory of 4868 1500 net.exe 88 PID 2016 wrote to memory of 3568 2016 cmd.exe 89 PID 2016 wrote to memory of 3568 2016 cmd.exe 89 PID 2016 wrote to memory of 3868 2016 cmd.exe 90 PID 2016 wrote to memory of 3868 2016 cmd.exe 90 PID 2016 wrote to memory of 3916 2016 cmd.exe 91 PID 2016 wrote to memory of 3916 2016 cmd.exe 91 PID 2016 wrote to memory of 2300 2016 cmd.exe 92 PID 2016 wrote to memory of 2300 2016 cmd.exe 92 PID 2016 wrote to memory of 3776 2016 cmd.exe 93 PID 2016 wrote to memory of 3776 2016 cmd.exe 93 PID 2016 wrote to memory of 2516 2016 cmd.exe 102 PID 2016 wrote to memory of 2516 2016 cmd.exe 102 PID 2516 wrote to memory of 1828 2516 net.exe 103 PID 2516 wrote to memory of 1828 2516 net.exe 103 PID 2016 wrote to memory of 1260 2016 cmd.exe 104 PID 2016 wrote to memory of 1260 2016 cmd.exe 104 PID 1260 wrote to memory of 4624 1260 net.exe 105 PID 1260 wrote to memory of 4624 1260 net.exe 105
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\!!BEST TWEAKS\Windows Post-Installation Pack\1 Disable WUs\2 Disable WUs.cmd"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\system32\taskkill.exetaskkill /F /FI "IMAGENAME eq SystemSettings.exe"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4500
-
-
C:\Windows\system32\net.exenet stop wuauserv2⤵
- Suspicious use of WriteProcessMemory
PID:64 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop wuauserv3⤵PID:3140
-
-
-
C:\Windows\system32\net.exenet stop UsoSvc2⤵
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop UsoSvc3⤵PID:4868
-
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DoNotConnectToWindowsUpdateInternetLocations" /t REG_DWORD /d "1" /f2⤵PID:3568
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "SetDisableUXWUAccess" /t REG_DWORD /d "1" /f2⤵PID:3868
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoUpdate" /t REG_DWORD /d "1" /f2⤵PID:3916
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "ExcludeWUDriversInQualityUpdate" /t REG_DWORD /d "1" /f2⤵PID:2300
-
-
C:\Windows\system32\gpupdate.exegpupdate /force2⤵PID:3776
-
-
C:\Windows\system32\net.exenet start wuauserv2⤵
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start wuauserv3⤵PID:1828
-
-
-
C:\Windows\system32\net.exenet start UsoSvc2⤵
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start UsoSvc3⤵PID:4624
-
-