マイライブラリ
マイライブラリ

+ マイライブラリに追加

電話

お問い合わせ履歴

電話(英語)

+7 (495) 789-45-86

Profile

Trojan.Encoder.31978

Added to the Dr.Web virus database: 2020-06-11

Virus description added:

Technical Information

To ensure autorun and distribution
Creates the following files on removable media
  • <Drive name for removable media>:\conti_readme.txt
  • <Drive name for removable media>:\default.bmp
  • <Drive name for removable media>:\trivial-merge.html
  • <Drive name for removable media>:\about.html
  • <Drive name for removable media>:\browse.html
  • <Drive name for removable media>:\adadsi.html
  • <Drive name for removable media>:\ituneshelpunavailable.html
  • <Drive name for removable media>:\1189.jpeg
  • <Drive name for removable media>:\dial.bmp
  • <Drive name for removable media>:\13.jpg
  • <Drive name for removable media>:\dialmap.bmp
  • <Drive name for removable media>:\toolbar.bmp
  • <Drive name for removable media>:\dashborder_120.bmp
  • <Drive name for removable media>:\coffee.bmp
Malicious functions
To complicate detection of its presence in the operating system,
deletes volume shadow copies.
Executes the following
  • '%WINDIR%\syswow64\net.exe' stop "Acronis VSS Provider" /y
  • '%WINDIR%\syswow64\net.exe' stop SQLAgent$PRACTTICEBGC /y
  • '%WINDIR%\syswow64\net.exe' stop SQLAgent$PRACTTICEMGT /y
  • '%WINDIR%\syswow64\net.exe' stop SQLAgent$PROFXENGAGEMENT /y
  • '%WINDIR%\syswow64\net.exe' stop SQLAgent$SBSMONITORING /y
  • '%WINDIR%\syswow64\net.exe' stop SQLAgent$SHAREPOINT /y
  • '%WINDIR%\syswow64\net.exe' stop SQLAgent$SQL_2008 /y
  • '%WINDIR%\syswow64\net.exe' stop SQLAgent$TPS /y
  • '%WINDIR%\syswow64\net.exe' stop SQLTELEMETRY /y
  • '%WINDIR%\syswow64\net.exe' stop SQLAgent$TPSAMA /y
  • '%WINDIR%\syswow64\net.exe' stop SQLAgent$VEEAMSQL2008R2 /y
  • '%WINDIR%\syswow64\net.exe' stop SQLAgent$VEEAMSQL2012 /y
  • '%WINDIR%\syswow64\net.exe' stop SQLBrowser /y
  • '%WINDIR%\syswow64\net.exe' stop SQLSafeOLRService /y
  • '%WINDIR%\syswow64\net.exe' stop SQLSERVERAGENT /y
  • '%WINDIR%\syswow64\net.exe' stop SQLAgent$ECWDB2 /y
  • '%WINDIR%\syswow64\net.exe' stop SQLAgent$SYSTEM_BGC /y
  • '%WINDIR%\syswow64\net.exe' stop SQLAgent$BKUPEXEC /y
  • '%WINDIR%\syswow64\net.exe' stop sacsvr /y
  • '%WINDIR%\syswow64\net.exe' stop ReportServer /y
  • '%WINDIR%\syswow64\net.exe' stop ReportServer$SQL_2008 /y
  • '%WINDIR%\syswow64\net.exe' stop ReportServer$SYSTEM_BGC /y
  • '%WINDIR%\syswow64\net.exe' stop ReportServer$TPS /y
  • '%WINDIR%\syswow64\net.exe' stop ReportServer$TPSAMA /y
  • '%WINDIR%\syswow64\net.exe' stop RESvc /y
  • '%WINDIR%\syswow64\net.exe' stop SamSs /y
  • '%WINDIR%\syswow64\net.exe' stop SmcService /y
  • '%WINDIR%\syswow64\net.exe' stop SAVAdminService /y
  • '%WINDIR%\syswow64\net.exe' stop SAVService /y
  • '%WINDIR%\syswow64\net.exe' stop SDRSVC /y
  • '%WINDIR%\syswow64\net.exe' stop SepMasterService /y
  • '%WINDIR%\syswow64\net.exe' stop ShMonitor /y
  • '%WINDIR%\syswow64\net.exe' stop Smcinst /y
  • '%WINDIR%\syswow64\net.exe' stop SMTPSvc /y
  • '%WINDIR%\syswow64\net.exe' stop VeeamNFSSvc /y
  • '%WINDIR%\syswow64\net.exe' stop SQLAgent$SQLEXPRESS /y
  • '%WINDIR%\syswow64\net.exe' stop VeeamBackupSvc /y
  • '%WINDIR%\syswow64\net.exe' stop MSSQL$PROD /y
  • '%WINDIR%\syswow64\net.exe' stop "Zoolz 2 Service" /y
  • '%WINDIR%\syswow64\net.exe' stop MSSQLServerADHelper /y
  • '%WINDIR%\syswow64\net.exe' stop SQLAgent$PROD /y
  • '%WINDIR%\syswow64\net.exe' stop msftesql$PROD /y
  • '%WINDIR%\syswow64\net.exe' stop NetMsmqActivator /y
  • '%WINDIR%\syswow64\net.exe' stop ekrn /y
  • '%WINDIR%\syswow64\net.exe' stop SQLWriter /y
  • '%WINDIR%\syswow64\net.exe' stop ESHASRV /y
  • '%WINDIR%\syswow64\net.exe' stop MSSQL$SOPHOS /y
  • '%WINDIR%\syswow64\net.exe' stop SQLAgent$SOPHOS /y
  • '%WINDIR%\syswow64\net.exe' stop AVP /y
  • '%WINDIR%\syswow64\net.exe' stop klnagent /y
  • '%WINDIR%\syswow64\net.exe' stop MSSQL$SQLEXPRESS /y
  • '%WINDIR%\syswow64\net.exe' stop "SQL Backups" /y
  • '%WINDIR%\syswow64\net.exe' stop POP3Svc /y
  • '%WINDIR%\syswow64\net.exe' stop SQLAgent$CITRIX_METAFRAME /y
  • '%WINDIR%\syswow64\net.exe' stop VeeamMountSvc /y
  • '%WINDIR%\syswow64\net.exe' stop VeeamBrokerSvc /y
  • '%WINDIR%\syswow64\net.exe' stop VeeamCatalogSvc /y
  • '%WINDIR%\syswow64\net.exe' stop VeeamCloudSvc /y
  • '%WINDIR%\syswow64\net.exe' stop VeeamDeploymentService /y
  • '%WINDIR%\syswow64\net.exe' stop VeeamDeploySvc /y
  • '%WINDIR%\syswow64\net.exe' stop VeeamEnterpriseManagerSvc /y
  • '%WINDIR%\syswow64\net.exe' stop SQLTELEMETRY$ECWDB2 /y
  • '%WINDIR%\syswow64\net.exe' stop swi_update /y
  • '%WINDIR%\syswow64\net.exe' stop VeeamRESTSvc /y
  • '%WINDIR%\syswow64\net.exe' stop VeeamTransportSvc /y
  • '%WINDIR%\syswow64\net.exe' stop W3Svc /y
  • '%WINDIR%\syswow64\net.exe' stop wbengine /y
  • '%WINDIR%\syswow64\net.exe' stop WRSVC /y
  • '%WINDIR%\syswow64\net.exe' stop VeeamHvIntegrationSvc /y
  • '%WINDIR%\syswow64\net.exe' stop SQLAgent$CXDB /y
  • '%WINDIR%\syswow64\net.exe' stop EhttpSrv /y
  • '%WINDIR%\syswow64\net.exe' stop PDVFSService /y
  • '%WINDIR%\syswow64\net.exe' stop MSSQLFDLauncher$SQL_2008 /y
  • '%WINDIR%\syswow64\net.exe' stop EPUpdateService /y
  • '%WINDIR%\syswow64\net.exe' stop EraserSvc11710 /y
  • '%WINDIR%\syswow64\net.exe' stop EsgShKernel /y
  • '%WINDIR%\syswow64\net.exe' stop FA_Scheduler /y
  • '%WINDIR%\syswow64\net.exe' stop IISAdmin /y
  • '%WINDIR%\syswow64\net.exe' stop IMAP4Svc /y
  • '%WINDIR%\syswow64\net.exe' stop McTaskManager /y
  • '%WINDIR%\syswow64\net.exe' stop MsDtsServer110 /y
  • '%WINDIR%\syswow64\net.exe' stop mfemms /y
  • '%WINDIR%\syswow64\net.exe' stop mfevtp /y
  • '%WINDIR%\syswow64\net.exe' stop MMS /y
  • '%WINDIR%\syswow64\net.exe' stop mozyprobackup /y
  • '%WINDIR%\syswow64\net.exe' stop MsDtsServer /y
  • '%WINDIR%\syswow64\net.exe' stop MsDtsServer100 /y
  • '%WINDIR%\syswow64\net.exe' stop EPSecurityService /y
  • '%WINDIR%\syswow64\net.exe' stop McShield /y
  • '%WINDIR%\syswow64\net.exe' stop DCAgent /y
  • '%WINDIR%\syswow64\net.exe' stop Antivirus /y
  • '%WINDIR%\syswow64\net.exe' stop "Enterprise Client Service" /y
  • '%WINDIR%\syswow64\net.exe' stop "SQLsafe Backup Service" /y
  • '%WINDIR%\syswow64\net.exe' stop "SQLsafe Filter Service" /y
  • '%WINDIR%\syswow64\net.exe' stop "Veeam Backup Catalog Data Service" /y
  • '%WINDIR%\syswow64\net.exe' stop AcronisAgent /y
  • '%WINDIR%\syswow64\net.exe' stop AcrSch2Svc /y
  • '%WINDIR%\syswow64\net.exe' stop ARSM /y
  • '%WINDIR%\syswow64\net.exe' stop BackupExecVSSProvider /y
  • '%WINDIR%\syswow64\net.exe' stop BackupExecAgentAccelerator /y
  • '%WINDIR%\syswow64\net.exe' stop BackupExecAgentBrowser /y
  • '%WINDIR%\syswow64\net.exe' stop BackupExecDeviceMediaService /y
  • '%WINDIR%\syswow64\net.exe' stop BackupExecJobEngine /y
  • '%WINDIR%\syswow64\net.exe' stop BackupExecManagementService /y
  • '%WINDIR%\syswow64\net.exe' stop BackupExecRPCService /y
  • '%WINDIR%\syswow64\net.exe' stop bedbg /y
  • '%WINDIR%\syswow64\net.exe' stop MSSQL$BKUPEXEC /y
  • '%WINDIR%\syswow64\net.exe' stop ntrtscan /y
  • '%WINDIR%\syswow64\net.exe' stop MSExchangeMGMT /y
  • '%WINDIR%\syswow64\net.exe' stop MSSQL$VEEAMSQL2008R2 /y
  • '%WINDIR%\syswow64\net.exe' stop MSSQL$VEEAMSQL2012 /y
  • '%WINDIR%\syswow64\net.exe' stop MSSQLFDLauncher /y
  • '%WINDIR%\syswow64\net.exe' stop MSSQLFDLauncher$PROFXENGAGEMENT /y
  • '%WINDIR%\syswow64\net.exe' stop MSSQLFDLauncher$SBSMONITORING /y
  • '%WINDIR%\syswow64\net.exe' stop MSSQLFDLauncher$SHAREPOINT /y
  • '%WINDIR%\syswow64\net.exe' stop MSSQLFDLauncher$SYSTEM_BGC /y
  • '%WINDIR%\syswow64\net.exe' stop MSExchangeIS /y
  • '%WINDIR%\syswow64\net.exe' stop MSSQLFDLauncher$TPS /y
  • '%WINDIR%\syswow64\net.exe' stop MSSQLFDLauncher$TPSAMA /y
  • '%WINDIR%\syswow64\net.exe' stop MSSQLSERVER /y
  • '%WINDIR%\syswow64\net.exe' stop MSSQLServerADHelper100 /y
  • '%WINDIR%\syswow64\net.exe' stop MSSQLServerOLAPService /y
  • '%WINDIR%\syswow64\net.exe' stop MySQL57 /y
  • '%WINDIR%\syswow64\net.exe' stop MSSQL$TPSAMA /y
  • '%WINDIR%\syswow64\net.exe' stop OracleClientCache80 /y
  • '%WINDIR%\syswow64\net.exe' stop MSSQL$TPS /y
  • '%WINDIR%\syswow64\net.exe' stop MSOLAP$TPSAMA /y
  • '%WINDIR%\syswow64\net.exe' stop MSExchangeMTA /y
  • '%WINDIR%\syswow64\net.exe' stop MSExchangeSA /y
  • '%WINDIR%\syswow64\net.exe' stop MSExchangeSRS /y
  • '%WINDIR%\syswow64\net.exe' stop MSOLAP$SQL_2008 /y
  • '%WINDIR%\syswow64\net.exe' stop MSOLAP$SYSTEM_BGC /y
  • '%WINDIR%\syswow64\net.exe' stop MSOLAP$TPS /y
  • '%WINDIR%\syswow64\net.exe' stop MSExchangeES /y
  • '%WINDIR%\syswow64\net.exe' stop MSSQL$SQL_2008 /y
  • '%WINDIR%\syswow64\net.exe' stop MSSQL$ECWDB2 /y
  • '%WINDIR%\syswow64\net.exe' stop MSSQL$PRACTICEMGT /y
  • '%WINDIR%\syswow64\net.exe' stop MSSQL$PRACTTICEBGC /y
  • '%WINDIR%\syswow64\net.exe' stop MSSQL$PROFXENGAGEMENT /y
  • '%WINDIR%\syswow64\net.exe' stop MSSQL$SBSMONITORING /y
  • '%WINDIR%\syswow64\net.exe' stop MSSQL$SHAREPOINT /y
  • '%WINDIR%\syswow64\net.exe' stop MSSQL$SYSTEM_BGC /y
  • '%WINDIR%\syswow64\net.exe' stop mfefire /y
Modifies file system
Creates the following files
  • C:\conti_readme.txt
  • C:\documents and settings\conti_readme.txt
  • <Current directory>\conti_readme.txt
  • D:\conti_readme.txt
  • C:\far2\conti_readme.txt
Changes user data files extensions (Trojan.Encoder).
Miscellaneous
Creates and executes the following
  • '%WINDIR%\syswow64\cmd.exe' /c vssadmin Delete Shadows /all /quiet' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop SQLAgent$BKUPEXEC /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop SQLAgent$ECWDB2 /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop SQLAgent$PRACTTICEBGC /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop SQLAgent$PRACTTICEMGT /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop SQLAgent$PROFXENGAGEMENT /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop ReportServer$SYSTEM_BGC /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop SQLAgent$SBSMONITORING /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop SQLAgent$SQL_2008 /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop SQLAgent$SYSTEM_BGC /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop SQLAgent$TPS /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop SQLAgent$TPSAMA /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop SQLAgent$VEEAMSQL2008R2 /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop SQLAgent$VEEAMSQL2012 /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop Smcinst /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop SQLAgent$SHAREPOINT /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop SMTPSvc /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop SmcService /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop ShMonitor /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop SepMasterService /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop ntrtscan /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop OracleClientCache80 /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop PDVFSService /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop POP3Svc /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop ReportServer /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop SQLBrowser /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop ReportServer$SQL_2008 /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop MSSQLServerADHelper100 /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop ReportServer$TPS /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop RESvc /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop sacsvr /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop SamSs /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop SAVAdminService /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop SAVService /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop MSSQLServerOLAPService /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop SDRSVC /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop ReportServer$TPSAMA /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop MySQL57 /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop SQLSafeOLRService /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop SQLWriter /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop MSSQL$PROD /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop "Zoolz 2 Service" /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop MSSQLServerADHelper /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop SQLAgent$PROD /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop msftesql$PROD /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop NetMsmqActivator /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop swi_update /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop EhttpSrv /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop ESHASRV /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop MSSQL$SOPHOS /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop SQLAgent$SOPHOS /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop AVP /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop klnagent /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop MSSQL$SQLEXPRESS /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop SQLAgent$CITRIX_METAFRAME /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop "SQL Backups" /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop SQLAgent$CXDB /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop VeeamHvIntegrationSvc /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop MSExchangeIS /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop VeeamBackupSvc /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop VeeamBrokerSvc /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop VeeamCatalogSvc /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop VeeamCloudSvc /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop VeeamDeploymentService /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop SQLSERVERAGENT /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop SQLTELEMETRY$ECWDB2 /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop SQLTELEMETRY /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop VeeamDeploySvc /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop VeeamRESTSvc /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop VeeamTransportSvc /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop W3Svc /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop wbengine /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop WRSVC /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop VeeamEnterpriseManagerSvc /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop VeeamMountSvc /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop VeeamNFSSvc /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop MSSQLSERVER /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop MSSQLFDLauncher$TPSAMA /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop MSSQLFDLauncher$TPS /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop BackupExecAgentBrowser /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop BackupExecDeviceMediaService /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop BackupExecJobEngine /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop BackupExecManagementService /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop BackupExecRPCService /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop BackupExecVSSProvider /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop IMAP4Svc /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop bedbg /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop EPSecurityService /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop EPUpdateService /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop EraserSvc11710 /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop EsgShKernel /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop FA_Scheduler /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop Antivirus /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop AcrSch2Svc /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop BackupExecAgentAccelerator /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop AcronisAgent /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop "Veeam Backup Catalog Data Service" /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop IISAdmin /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop DCAgent /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop "Acronis VSS Provider" /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop "Enterprise Client Service" /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop "SQLsafe Backup Service" /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop "SQLsafe Filter Service" /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop ARSM /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop McShield /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop MSSQL$PRACTTICEBGC /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop MSSQL$SBSMONITORING /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop MSSQL$SHAREPOINT /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop MSSQL$SQL_2008 /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop MSSQL$SYSTEM_BGC /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop MSSQL$TPS /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop MSSQL$PRACTICEMGT /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop McTaskManager /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop MSSQL$PROFXENGAGEMENT /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop MSSQL$TPSAMA /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop MSSQLFDLauncher$PROFXENGAGEMENT /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop MSSQLFDLauncher$SBSMONITORING /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop MSSQLFDLauncher$SHAREPOINT /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop MSSQLFDLauncher$SQL_2008 /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop MSSQLFDLauncher$SYSTEM_BGC /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop MSSQL$VEEAMSQL2008R2 /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop MSSQL$VEEAMSQL2012 /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop MSSQLFDLauncher /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop ekrn /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop SQLAgent$SQLEXPRESS /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop MSOLAP$TPSAMA /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop mfevtp /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop MMS /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop mozyprobackup /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop MsDtsServer /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop MsDtsServer100 /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop MsDtsServer110 /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop MSSQL$BKUPEXEC /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop MSSQL$ECWDB2 /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop MSExchangeES /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop MSExchangeMTA /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop MSExchangeSA /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop MSExchangeSRS /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop MSOLAP$SQL_2008 /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop MSOLAP$SYSTEM_BGC /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop MSOLAP$TPS /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop mfemms /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop MSExchangeMGMT /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c net stop mfefire /y' (with hidden window)
Executes the following
  • '%WINDIR%\syswow64\cmd.exe' /c vssadmin Delete Shadows /all /quiet
  • '%WINDIR%\syswow64\cmd.exe' /c net stop SQLAgent$PROFXENGAGEMENT /y
  • '%WINDIR%\syswow64\net1.exe' stop SQLAgent$PRACTTICEMGT /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop SQLAgent$PRACTTICEMGT /y
  • '%WINDIR%\syswow64\net1.exe' stop SQLAgent$PRACTTICEBGC /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop SQLAgent$PRACTTICEBGC /y
  • '%WINDIR%\syswow64\net1.exe' stop SQLAgent$ECWDB2 /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop SQLAgent$ECWDB2 /y
  • '%WINDIR%\syswow64\net1.exe' stop SQLAgent$BKUPEXEC /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop SQLAgent$BKUPEXEC /y
  • '%WINDIR%\syswow64\net1.exe' stop SMTPSvc /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop SMTPSvc /y
  • '%WINDIR%\syswow64\net1.exe' stop SmcService /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop SmcService /y
  • '%WINDIR%\syswow64\net1.exe' stop Smcinst /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop Smcinst /y
  • '%WINDIR%\syswow64\net1.exe' stop SQLAgent$PROFXENGAGEMENT /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop SQLAgent$SBSMONITORING /y
  • '%WINDIR%\syswow64\net1.exe' stop SQLAgent$SBSMONITORING /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop SQLAgent$SHAREPOINT /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop ShMonitor /y
  • '%WINDIR%\syswow64\net1.exe' stop SQLBrowser /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop SQLBrowser /y
  • '%WINDIR%\syswow64\net1.exe' stop SQLAgent$VEEAMSQL2012 /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop SQLAgent$VEEAMSQL2012 /y
  • '%WINDIR%\syswow64\net1.exe' stop SQLAgent$VEEAMSQL2008R2 /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop SQLAgent$VEEAMSQL2008R2 /y
  • '%WINDIR%\syswow64\net1.exe' stop ShMonitor /y
  • '%WINDIR%\syswow64\net1.exe' stop SQLAgent$TPSAMA /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop SQLSafeOLRService /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop SQLAgent$TPS /y
  • '%WINDIR%\syswow64\net1.exe' stop SQLAgent$SYSTEM_BGC /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop SQLAgent$SYSTEM_BGC /y
  • '%WINDIR%\syswow64\net1.exe' stop SQLAgent$SQL_2008 /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop SQLAgent$SQL_2008 /y
  • '%WINDIR%\syswow64\net1.exe' stop SQLAgent$SHAREPOINT /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop SQLAgent$TPSAMA /y
  • '%WINDIR%\syswow64\net1.exe' stop MSSQLSERVER /y
  • '%WINDIR%\syswow64\net1.exe' stop SQLAgent$TPS /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop sacsvr /y
  • '%WINDIR%\syswow64\net1.exe' stop ReportServer /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop ReportServer /y
  • '%WINDIR%\syswow64\net1.exe' stop POP3Svc /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop POP3Svc /y
  • '%WINDIR%\syswow64\net1.exe' stop PDVFSService /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop PDVFSService /y
  • '%WINDIR%\syswow64\net1.exe' stop OracleClientCache80 /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop OracleClientCache80 /y
  • '%WINDIR%\syswow64\net1.exe' stop ntrtscan /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop ntrtscan /y
  • '%WINDIR%\syswow64\net1.exe' stop MySQL57 /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop MySQL57 /y
  • '%WINDIR%\syswow64\net1.exe' stop MSSQLServerOLAPService /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop MSSQLServerOLAPService /y
  • '%WINDIR%\syswow64\net1.exe' stop MSSQLServerADHelper100 /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop ReportServer$SQL_2008 /y
  • '%WINDIR%\syswow64\net1.exe' stop ReportServer$SQL_2008 /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop ReportServer$SYSTEM_BGC /y
  • '%WINDIR%\syswow64\net1.exe' stop ReportServer$SYSTEM_BGC /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop SepMasterService /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop SDRSVC /y
  • '%WINDIR%\syswow64\net1.exe' stop SAVService /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop SAVService /y
  • '%WINDIR%\syswow64\net1.exe' stop SAVAdminService /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop SAVAdminService /y
  • '%WINDIR%\syswow64\net1.exe' stop SamSs /y
  • '%WINDIR%\syswow64\net1.exe' stop SepMasterService /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop SamSs /y
  • '%WINDIR%\syswow64\net1.exe' stop SDRSVC /y
  • '%WINDIR%\syswow64\net1.exe' stop RESvc /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop RESvc /y
  • '%WINDIR%\syswow64\net1.exe' stop ReportServer$TPSAMA /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop ReportServer$TPSAMA /y
  • '%WINDIR%\syswow64\net1.exe' stop ReportServer$TPS /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop ReportServer$TPS /y
  • '%WINDIR%\syswow64\net1.exe' stop sacsvr /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop MSSQLServerADHelper100 /y
  • '%WINDIR%\syswow64\net1.exe' stop SQLSafeOLRService /y
  • '%WINDIR%\syswow64\net1.exe' stop VeeamDeploymentService /y
  • '%WINDIR%\syswow64\net1.exe' stop msftesql$PROD /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop msftesql$PROD /y
  • '%WINDIR%\syswow64\net1.exe' stop SQLAgent$PROD /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop SQLAgent$PROD /y
  • '%WINDIR%\syswow64\net1.exe' stop MSSQLServerADHelper /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop MSSQLServerADHelper /y
  • '%WINDIR%\syswow64\net1.exe' stop "Zoolz 2 Service" /y
  • '%WINDIR%\syswow64\net1.exe' stop MSSQL$PROD /y
  • '%WINDIR%\syswow64\net1.exe' stop NetMsmqActivator /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop MSSQL$PROD /y
  • '%WINDIR%\syswow64\net1.exe' stop "SQL Backups" /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop "SQL Backups" /y
  • '%WINDIR%\syswow64\net1.exe' stop SQLAgent$CITRIX_METAFRAME /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop SQLAgent$CITRIX_METAFRAME /y
  • '%WINDIR%\syswow64\net1.exe' stop SQLAgent$CXDB /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop "Zoolz 2 Service" /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop MSOLAP$SQL_2008 /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop EhttpSrv /y
  • '%WINDIR%\syswow64\net1.exe' stop SQLAgent$SQLEXPRESS /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop SQLAgent$SQLEXPRESS /y
  • '%WINDIR%\syswow64\net1.exe' stop MSSQL$SQLEXPRESS /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop MSSQL$SQLEXPRESS /y
  • '%WINDIR%\syswow64\net1.exe' stop klnagent /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop klnagent /y
  • '%WINDIR%\syswow64\net1.exe' stop AVP /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop SQLAgent$CXDB /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop NetMsmqActivator /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop SQLAgent$SOPHOS /y
  • '%WINDIR%\syswow64\net1.exe' stop MSSQL$SOPHOS /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop MSSQL$SOPHOS /y
  • '%WINDIR%\syswow64\net1.exe' stop ESHASRV /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop ESHASRV /y
  • '%WINDIR%\syswow64\net1.exe' stop ekrn /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop ekrn /y
  • '%WINDIR%\syswow64\net1.exe' stop SQLAgent$SOPHOS /y
  • '%WINDIR%\syswow64\net1.exe' stop EhttpSrv /y
  • '%WINDIR%\syswow64\net1.exe' stop SQLSERVERAGENT /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop SQLSERVERAGENT /y
  • '%WINDIR%\syswow64\net1.exe' stop VeeamHvIntegrationSvc /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop VeeamDeploySvc /y
  • '%WINDIR%\syswow64\net1.exe' stop VeeamCloudSvc /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop VeeamCloudSvc /y
  • '%WINDIR%\syswow64\net1.exe' stop VeeamCatalogSvc /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop VeeamCatalogSvc /y
  • '%WINDIR%\syswow64\net1.exe' stop VeeamBrokerSvc /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop VeeamBrokerSvc /y
  • '%WINDIR%\syswow64\net1.exe' stop VeeamBackupSvc /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop VeeamBackupSvc /y
  • '%WINDIR%\syswow64\net1.exe' stop SQLWriter /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop SQLWriter /y
  • '%WINDIR%\syswow64\net1.exe' stop SQLTELEMETRY$ECWDB2 /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop SQLTELEMETRY$ECWDB2 /y
  • '%WINDIR%\syswow64\net1.exe' stop SQLTELEMETRY /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop SQLTELEMETRY /y
  • '%WINDIR%\syswow64\net1.exe' stop VeeamDeploySvc /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop VeeamEnterpriseManagerSvc /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop VeeamHvIntegrationSvc /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop VeeamTransportSvc /y
  • '%WINDIR%\syswow64\net1.exe' stop VeeamTransportSvc /y
  • '%WINDIR%\syswow64\net1.exe' stop WRSVC /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop WRSVC /y
  • '%WINDIR%\syswow64\net1.exe' stop wbengine /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop wbengine /y
  • '%WINDIR%\syswow64\net1.exe' stop W3Svc /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop W3Svc /y
  • '%WINDIR%\syswow64\net1.exe' stop swi_update /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop swi_update /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop VeeamDeploymentService /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop VeeamRESTSvc /y
  • '%WINDIR%\syswow64\net1.exe' stop VeeamNFSSvc /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop VeeamNFSSvc /y
  • '%WINDIR%\syswow64\net1.exe' stop VeeamMountSvc /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop VeeamMountSvc /y
  • '%WINDIR%\syswow64\net1.exe' stop VeeamEnterpriseManagerSvc /y
  • '%WINDIR%\syswow64\net1.exe' stop VeeamRESTSvc /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop MSSQLSERVER /y
  • '%WINDIR%\syswow64\net1.exe' stop MSSQLFDLauncher$TPSAMA /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop MSSQLFDLauncher$TPSAMA /y
  • '%WINDIR%\syswow64\net1.exe' stop BackupExecManagementService /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop BackupExecManagementService /y
  • '%WINDIR%\syswow64\net1.exe' stop BackupExecJobEngine /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop BackupExecJobEngine /y
  • '%WINDIR%\syswow64\net1.exe' stop BackupExecDeviceMediaService /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop BackupExecDeviceMediaService /y
  • '%WINDIR%\syswow64\net1.exe' stop BackupExecAgentBrowser /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop BackupExecAgentBrowser /y
  • '%WINDIR%\syswow64\net1.exe' stop BackupExecAgentAccelerator /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop BackupExecAgentAccelerator /y
  • '%WINDIR%\syswow64\net1.exe' stop ARSM /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop ARSM /y
  • '%WINDIR%\syswow64\net1.exe' stop Antivirus /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop Antivirus /y
  • '%WINDIR%\syswow64\net1.exe' stop BackupExecRPCService /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop BackupExecVSSProvider /y
  • '%WINDIR%\syswow64\net1.exe' stop BackupExecVSSProvider /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop bedbg /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop IMAP4Svc /y
  • '%WINDIR%\syswow64\net1.exe' stop IISAdmin /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop IISAdmin /y
  • '%WINDIR%\syswow64\net1.exe' stop FA_Scheduler /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop FA_Scheduler /y
  • '%WINDIR%\syswow64\net1.exe' stop EsgShKernel /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop EsgShKernel /y
  • '%WINDIR%\syswow64\net1.exe' stop AcrSch2Svc /y
  • '%WINDIR%\syswow64\net1.exe' stop IMAP4Svc /y
  • '%WINDIR%\syswow64\net1.exe' stop EPUpdateService /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop EPUpdateService /y
  • '%WINDIR%\syswow64\net1.exe' stop EPSecurityService /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop EPSecurityService /y
  • '%WINDIR%\syswow64\net1.exe' stop DCAgent /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop DCAgent /y
  • '%WINDIR%\syswow64\net1.exe' stop bedbg /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop EraserSvc11710 /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop AcrSch2Svc /y
  • '%WINDIR%\syswow64\net1.exe' stop EraserSvc11710 /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop AcronisAgent /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop "Enterprise Client Service" /y
  • '%WINDIR%\syswow64\cmd.exe' /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
  • '%WINDIR%\syswow64\vssadmin.exe' resize shadowstorage /for=e: /on=e: /maxsize=unbounded
  • '%WINDIR%\syswow64\cmd.exe' /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
  • '%WINDIR%\syswow64\vssadmin.exe' resize shadowstorage /for=e: /on=e: /maxsize=401MB
  • '%WINDIR%\syswow64\cmd.exe' /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
  • '%WINDIR%\syswow64\vssadmin.exe' resize shadowstorage /for=d: /on=d: /maxsize=unbounded
  • '%WINDIR%\syswow64\cmd.exe' /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
  • '%WINDIR%\syswow64\vssadmin.exe' resize shadowstorage /for=d: /on=d: /maxsize=401MB
  • '%WINDIR%\syswow64\cmd.exe' /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
  • '%WINDIR%\syswow64\vssadmin.exe' resize shadowstorage /for=c: /on=c: /maxsize=unbounded
  • '%WINDIR%\syswow64\cmd.exe' /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
  • '%WINDIR%\syswow64\vssadmin.exe' resize shadowstorage /for=c: /on=c: /maxsize=401MB
  • '%WINDIR%\syswow64\cmd.exe' /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
  • '<SYSTEM32>\vssvc.exe'
  • '%WINDIR%\syswow64\cmd.exe' /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
  • '%WINDIR%\syswow64\vssadmin.exe' resize shadowstorage /for=f: /on=f: /maxsize=unbounded
  • '%WINDIR%\syswow64\cmd.exe' /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
  • '%WINDIR%\syswow64\vssadmin.exe' resize shadowstorage /for=g: /on=g: /maxsize=401MB
  • '%WINDIR%\syswow64\net1.exe' stop "Veeam Backup Catalog Data Service" /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop "Veeam Backup Catalog Data Service" /y
  • '%WINDIR%\syswow64\net1.exe' stop "SQLsafe Filter Service" /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop "SQLsafe Filter Service" /y
  • '%WINDIR%\syswow64\net1.exe' stop "SQLsafe Backup Service" /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop "SQLsafe Backup Service" /y
  • '%WINDIR%\syswow64\net1.exe' stop "Enterprise Client Service" /y
  • '%WINDIR%\syswow64\net1.exe' stop AcronisAgent /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop McShield /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop "Acronis VSS Provider" /y
  • '%WINDIR%\syswow64\vssadmin.exe' resize shadowstorage /for=h: /on=h: /maxsize=unbounded
  • '%WINDIR%\syswow64\cmd.exe' /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
  • '%WINDIR%\syswow64\vssadmin.exe' resize shadowstorage /for=h: /on=h: /maxsize=401MB
  • '%WINDIR%\syswow64\cmd.exe' /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
  • '%WINDIR%\syswow64\vssadmin.exe' resize shadowstorage /for=g: /on=g: /maxsize=unbounded
  • '%WINDIR%\syswow64\cmd.exe' /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
  • '%WINDIR%\syswow64\net1.exe' stop "Acronis VSS Provider" /y
  • '%WINDIR%\syswow64\vssadmin.exe' resize shadowstorage /for=f: /on=f: /maxsize=401MB
  • '%WINDIR%\syswow64\cmd.exe' /c net stop BackupExecRPCService /y
  • '%WINDIR%\syswow64\net1.exe' stop McShield /y
  • '%WINDIR%\syswow64\net1.exe' stop MSSQL$TPS /y
  • '%WINDIR%\syswow64\net1.exe' stop MSSQL$TPSAMA /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop MSSQL$TPS /y
  • '%WINDIR%\syswow64\net1.exe' stop MSSQL$SYSTEM_BGC /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop MSSQL$SYSTEM_BGC /y
  • '%WINDIR%\syswow64\net1.exe' stop MSSQL$SQL_2008 /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop MSSQL$SQL_2008 /y
  • '%WINDIR%\syswow64\net1.exe' stop MSSQL$SHAREPOINT /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop MSSQL$SHAREPOINT /y
  • '%WINDIR%\syswow64\net1.exe' stop MSSQL$SBSMONITORING /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop MSSQL$SBSMONITORING /y
  • '%WINDIR%\syswow64\net1.exe' stop MSSQL$PROFXENGAGEMENT /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop MSSQL$PROFXENGAGEMENT /y
  • '%WINDIR%\syswow64\net1.exe' stop MSSQL$PRACTTICEBGC /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop MSSQL$PRACTTICEBGC /y
  • '%WINDIR%\syswow64\net1.exe' stop MSSQL$PRACTICEMGT /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop MSSQL$VEEAMSQL2008R2 /y
  • '%WINDIR%\syswow64\net1.exe' stop MSSQL$VEEAMSQL2008R2 /y
  • '%WINDIR%\syswow64\net1.exe' stop MSSQLFDLauncher$TPS /y
  • '%WINDIR%\syswow64\net1.exe' stop MSSQLFDLauncher$SBSMONITORING /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop MSSQLFDLauncher$SHAREPOINT /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop MSSQLFDLauncher$TPS /y
  • '%WINDIR%\syswow64\net1.exe' stop MSSQLFDLauncher$SYSTEM_BGC /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop MSSQLFDLauncher$SYSTEM_BGC /y
  • '%WINDIR%\syswow64\net1.exe' stop MSSQLFDLauncher$SQL_2008 /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop MSSQLFDLauncher$SQL_2008 /y
  • '%WINDIR%\syswow64\net1.exe' stop MSSQLFDLauncher$SHAREPOINT /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop MSSQL$TPSAMA /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop MSSQL$PRACTICEMGT /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop MSSQL$ECWDB2 /y
  • '%WINDIR%\syswow64\net1.exe' stop MSSQLFDLauncher$PROFXENGAGEMENT /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop MSSQLFDLauncher$PROFXENGAGEMENT /y
  • '%WINDIR%\syswow64\net1.exe' stop MSSQLFDLauncher /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop MSSQLFDLauncher /y
  • '%WINDIR%\syswow64\net1.exe' stop MSSQL$VEEAMSQL2012 /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop MSSQL$VEEAMSQL2012 /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop MSSQLFDLauncher$SBSMONITORING /y
  • '%WINDIR%\syswow64\net1.exe' stop MSSQL$ECWDB2 /y
  • '%WINDIR%\syswow64\net1.exe' stop MSSQL$BKUPEXEC /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop McTaskManager /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop mozyprobackup /y
  • '%WINDIR%\syswow64\net1.exe' stop MsDtsServer110 /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop MsDtsServer110 /y
  • '%WINDIR%\syswow64\net1.exe' stop MsDtsServer100 /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop MsDtsServer100 /y
  • '%WINDIR%\syswow64\net1.exe' stop MsDtsServer /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop MsDtsServer /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop mfefire /y
  • '%WINDIR%\syswow64\net1.exe' stop MSExchangeES /y
  • '%WINDIR%\syswow64\net1.exe' stop MMS /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop MMS /y
  • '%WINDIR%\syswow64\net1.exe' stop mfevtp /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop mfevtp /y
  • '%WINDIR%\syswow64\net1.exe' stop mfemms /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop mfemms /y
  • '%WINDIR%\syswow64\net1.exe' stop McTaskManager /y
  • '%WINDIR%\syswow64\net1.exe' stop mozyprobackup /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop AVP /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop MSExchangeIS /y
  • '%WINDIR%\syswow64\net1.exe' stop MSExchangeMGMT /y
  • '%WINDIR%\syswow64\net1.exe' stop MSExchangeIS /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop MSSQL$BKUPEXEC /y
  • '%WINDIR%\syswow64\net1.exe' stop MSOLAP$TPSAMA /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop MSOLAP$TPSAMA /y
  • '%WINDIR%\syswow64\net1.exe' stop MSOLAP$TPS /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop MSOLAP$TPS /y
  • '%WINDIR%\syswow64\net1.exe' stop MSOLAP$SYSTEM_BGC /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop MSExchangeMGMT /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop MSOLAP$SYSTEM_BGC /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop MSExchangeES /y
  • '%WINDIR%\syswow64\net1.exe' stop MSExchangeSRS /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop MSExchangeSRS /y
  • '%WINDIR%\syswow64\net1.exe' stop MSExchangeSA /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop MSExchangeSA /y
  • '%WINDIR%\syswow64\net1.exe' stop MSExchangeMTA /y
  • '%WINDIR%\syswow64\cmd.exe' /c net stop MSExchangeMTA /y
  • '%WINDIR%\syswow64\net1.exe' stop MSOLAP$SQL_2008 /y
  • '%WINDIR%\syswow64\net1.exe' stop mfefire /y

Curing recommendations

  1. If the operating system (OS) can be loaded (either normally or in safe mode), download Dr.Web Security Space and run a full scan of your computer and removable media you use. More about Dr.Web Security Space.
  2. If you cannot boot the OS, change the BIOS settings to boot your system from a CD or USB drive. Download the image of the emergency system repair disk Dr.Web® LiveDisk , mount it on a USB drive or burn it to a CD/DVD. After booting up with this media, run a full scan and cure all the detected threats.
Download Dr.Web

Download by serial number

Use Dr.Web Anti-virus for macOS to run a full scan of your Mac.

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Download Dr.Web

Download by serial number

  1. If the mobile device is operating normally, download and install Dr.Web for Android. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web for Android onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android