Technical Information
- [<HKLM>\SYSTEM\ControlSet001\Services\fltsrv64] 'ImagePath' = 'System32\DRIVERS\fltsrv64.sys'
- [<HKLM>\SYSTEM\ControlSet001\Services\fltsrv64] 'Start' = '00000000'
- [<HKLM>\System\CurrentControlSet\Services\fltsrv64] 'Start' = '00000000'
- [<HKLM>\System\CurrentControlSet\Services\fltsrv64] 'ImagePath' = 'System32\DRIVERS\fltsrv64.sys'
- [<HKLM>\SYSTEM\ControlSet001\Services\snapman64] 'ImagePath' = 'System32\DRIVERS\snapman64.sys'
- [<HKLM>\SYSTEM\ControlSet001\Services\snapman64] 'Start' = '00000000'
- [<HKLM>\System\CurrentControlSet\Services\snapman64] 'Start' = '00000000'
- [<HKLM>\System\CurrentControlSet\Services\snapman64] 'ImagePath' = 'System32\DRIVERS\snapman64.sys'
- 'fltsrv64' System32\DRIVERS\fltsrv64.sys
- 'snapman64' System32\DRIVERS\snapman64.sys
- %TEMP%\ptdboot\trueimage\acronis.cmd
- %TEMP%\ptdboot\trueimage\thread_pool.dll
- %TEMP%\ptdboot\trueimage\tib_api.dll
- %TEMP%\ptdboot\trueimage\tib_mounter.dll
- %TEMP%\ptdboot\trueimage\ulxmlrpcpp.dll
- %TEMP%\ptdboot\trueimage\vccorlib120.dll
- %TEMP%\ptdboot\trueimage\fltsrv.sys
- %TEMP%\ptdboot\trueimage\snapman.sys
- %ALLUSERSPROFILE%\acronis\trueimagehome\database\archives.db-shm
- %TEMP%\ptdboot\trueimage\snapman64.sys
- <DRIVERS>\snapman64.sys
- <DRIVERS>\fltsrv64.sys
- %ALLUSERSPROFILE%\acronis\snapapilogs\snapapi-20200916-045423-227.log
- %ALLUSERSPROFILE%\acronis\trueimagehome\database\archives.db-journal
- %ALLUSERSPROFILE%\acronis\trueimagehome\database\archives.db
- %TEMP%\ptdboot\trueimage\snapapi.dll
- %TEMP%\ptdboot\trueimage\fltsrv64.sys
- %TEMP%\ptdboot\trueimage\rpc_client.dll
- %TEMP%\ptdboot\trueimage\icu38.dll
- %TEMP%\ptdboot\trueimage\st.cmd
- %TEMP%\ptdboot\trueimage\runassystem64.exe
- %TEMP%\ptdboot\trueimage\trueimage.exe
- %TEMP%\ptdboot\trueimage\dfscli.dll
- %TEMP%\ptdboot\trueimage\expat.dll
- %TEMP%\ptdboot\trueimage\fox.dll
- %TEMP%\ptdboot\trueimage\icudt38.dll
- %TEMP%\ptdboot\trueimage\oem_doc_source.dll
- %TEMP%\ptdboot\trueimage\kb_link.dll
- %TEMP%\ptdboot\trueimage\libcrypto10.dll
- %TEMP%\ptdboot\trueimage\libssl10.dll
- %TEMP%\ptdboot\trueimage\logging.dll
- %TEMP%\ptdboot\trueimage\msvcp120.dll
- %TEMP%\ptdboot\trueimage\msvcr120.dll
- %TEMP%\ptdboot\trueimage\resource.dll
- %ALLUSERSPROFILE%\acronis\trueimagehome\database\archives.db-wal
- %ALLUSERSPROFILE%\acronis\trueimagehome\database\archives.db-journal
- %ALLUSERSPROFILE%\acronis\trueimagehome\database\archives.db-journal
- ClassName: 'TRUEIMAGE_DUMMY_APPLICATION_WINDOW' WindowName: ''
- '%TEMP%\ptdboot\trueimage\trueimage.exe'
- '<SYSTEM32>\reg.exe' ADD HKLM\SOFTWARE\Wow6432Node\Acronis\TrueImageHome\Settings /f /v "ServiceDir" /T REG_SZ /D "' (with hidden window)
- '<SYSTEM32>\reg.exe' ADD HKLM\SOFTWARE\Wow6432Node\Acronis\CommonComponents /f /v "auto_reactivate64.bin" /T REG_SZ /D "auto_reactivate64.bin"' (with hidden window)
- '<SYSTEM32>\reg.exe' ADD HKLM\SOFTWARE\Wow6432Node\Acronis\CommonComponents /f /v "auto_reactivate.bin" /T REG_SZ /D "auto_reactivate.bin"' (with hidden window)
- '<SYSTEM32>\reg.exe' ADD HKLM\SOFTWARE\Wow6432Node\Acronis\CommonComponents /f /v "libcrypto10.dll" /T REG_SZ /D "libcrypto10.dll"' (with hidden window)
- '<SYSTEM32>\reg.exe' ADD HKLM\SOFTWARE\Wow6432Node\Acronis\CommonComponents /f /v "thread_pool.dll" /T REG_SZ /D "thread_pool.dll"' (with hidden window)
- '<SYSTEM32>\reg.exe' ADD HKLM\SOFTWARE\Wow6432Node\Acronis\CommonComponents /f /v "resource.dll" /T REG_SZ /D "resource.dll"' (with hidden window)
- '<SYSTEM32>\reg.exe' ADD HKLM\SOFTWARE\Wow6432Node\Acronis\CommonComponents /f /v "rpc_client.dll" /T REG_SZ /D "rpc_client.dll"' (with hidden window)
- '<SYSTEM32>\reg.exe' ADD HKLM\SOFTWARE\Wow6432Node\Acronis\CommonComponents /f /v "icu38.dll" /T REG_SZ /D "icu38.dll"' (with hidden window)
- '<SYSTEM32>\reg.exe' Add HKLM\Software\Acronis\TrueImage /f /v "standard" /t REG_SZ /d " 7 24 17 16 6 15 7102120 23 17 24 27 16 17 15 17120 16 97103 27 17 3 15 16120 22 97 98 17 12 27109 17120 17 97109103 17 22...' (with hidden window)
- '<SYSTEM32>\sc.exe' start snapman64' (with hidden window)
- '<SYSTEM32>\sc.exe' create snapman64 type= kernel start= boot binpath= "System32\DRIVERS\snapman64.sys"' (with hidden window)
- '<SYSTEM32>\reg.exe' ADD HKLM\SYSTEM\ControlSet001\Services\snapman64 /f /v "Type" /T REG_DWORD /D "1"' (with hidden window)
- '<SYSTEM32>\reg.exe' ADD HKLM\SYSTEM\ControlSet001\Services\snapman64 /f /v "Start" /T REG_DWORD /D "0"' (with hidden window)
- '<SYSTEM32>\reg.exe' Add HKLM\Software\WOW6432node\Acronis /f /v "language" /T REG_DWORD /D "1"' (with hidden window)
- '<SYSTEM32>\reg.exe' ADD HKLM\SYSTEM\ControlSet001\Services\snapman64 /f /v "ImagePath" /T REG_SZ /D "System32\DRIVERS\snapman64.sys"' (with hidden window)
- '<SYSTEM32>\reg.exe' ADD HKLM\SYSTEM\ControlSet001\Services\snapman64 /f /v "DisplayName" /T REG_SZ /D "Acronis Snapshot Manager"' (with hidden window)
- '<SYSTEM32>\sc.exe' start fltsrv64' (with hidden window)
- '<SYSTEM32>\sc.exe' create fltsrv64 type= kernel start= boot binpath= "System32\DRIVERS\fltsrv64.sys"' (with hidden window)
- '<SYSTEM32>\reg.exe' ADD HKLM\SYSTEM\ControlSet001\Services\fltsrv64 /f /v "Tag" /T REG_DWORD /D "2"' (with hidden window)
- '<SYSTEM32>\reg.exe' ADD HKLM\SYSTEM\ControlSet001\Services\fltsrv64 /f /v "Type" /T REG_DWORD /D "1"' (with hidden window)
- '<SYSTEM32>\reg.exe' ADD HKLM\SYSTEM\ControlSet001\Services\fltsrv64 /f /v "Start" /T REG_DWORD /D "0"' (with hidden window)
- '<SYSTEM32>\reg.exe' ADD HKLM\SYSTEM\ControlSet001\Services\fltsrv64 /f /v "ImagePath" /T REG_SZ /D "System32\DRIVERS\fltsrv64.sys"' (with hidden window)
- '<SYSTEM32>\reg.exe' ADD HKLM\SYSTEM\ControlSet001\Services\fltsrv64 /f /v "Group" /T REG_SZ /D "Filter"' (with hidden window)
- '<SYSTEM32>\reg.exe' ADD HKLM\SYSTEM\ControlSet001\Services\fltsrv64 /f /v "DisplayName" /T REG_SZ /D "Acronis Storage Filter Management"' (with hidden window)
- '<SYSTEM32>\reg.exe' ADD HKLM\SYSTEM\ControlSet001\Services\fltsrv64 /f /v "ErrorControl" /T REG_DWORD /D "0"' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c copy "fltsrv64.sys" <DRIVERS>\fltsrv64.sys /Y' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c copy "snapman64.sys" <DRIVERS>\snapman64.sys /Y' (with hidden window)
- '%WINDIR%\syswow64\reg.exe' Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /f /v "RegisteredOwner" /t REG_SZ /d "ĐГ¬nh PhГєc"' (with hidden window)
- '<SYSTEM32>\reg.exe' ADD HKLM\SYSTEM\ControlSet001\Services\snapman64 /f /v "ErrorControl" /T REG_DWORD /D "1"' (with hidden window)
- '%WINDIR%\syswow64\reg.exe' Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /f /v "RegisteredOrganization" /t REG_SZ /d "Fb.com/TongDinhPhuc"' (with hidden window)
- '%WINDIR%\syswow64\reg.exe' Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /f /v "RegisteredOrganization" /t REG_SZ /d "Fb.com/TongDinhPhuc"
- '<SYSTEM32>\reg.exe' ADD HKLM\SOFTWARE\Wow6432Node\Acronis\CommonComponents /f /v "auto_reactivate64.bin" /T REG_SZ /D "auto_reactivate64.bin"
- '<SYSTEM32>\reg.exe' ADD HKLM\SOFTWARE\Wow6432Node\Acronis\CommonComponents /f /v "auto_reactivate.bin" /T REG_SZ /D "auto_reactivate.bin"
- '<SYSTEM32>\reg.exe' ADD HKLM\SOFTWARE\Wow6432Node\Acronis\CommonComponents /f /v "libcrypto10.dll" /T REG_SZ /D "libcrypto10.dll"
- '<SYSTEM32>\reg.exe' ADD HKLM\SOFTWARE\Wow6432Node\Acronis\CommonComponents /f /v "thread_pool.dll" /T REG_SZ /D "thread_pool.dll"
- '<SYSTEM32>\reg.exe' ADD HKLM\SOFTWARE\Wow6432Node\Acronis\CommonComponents /f /v "resource.dll" /T REG_SZ /D "resource.dll"
- '<SYSTEM32>\reg.exe' ADD HKLM\SOFTWARE\Wow6432Node\Acronis\CommonComponents /f /v "rpc_client.dll" /T REG_SZ /D "rpc_client.dll"
- '<SYSTEM32>\reg.exe' ADD HKLM\SOFTWARE\Wow6432Node\Acronis\CommonComponents /f /v "icu38.dll" /T REG_SZ /D "icu38.dll"
- '<SYSTEM32>\reg.exe' Add HKLM\Software\Acronis\TrueImage /f /v "standard" /t REG_SZ /d " 7 24 17 16 6 15 7102120 23 17 24 27 16 17 15 17120 16 97103 27 17 3 15 16120 22 97 98 17 12 27109 17120 17 97109103 17 22...
- '<SYSTEM32>\sc.exe' start snapman64
- '<SYSTEM32>\sc.exe' create snapman64 type= kernel start= boot binpath= "System32\DRIVERS\snapman64.sys"
- '<SYSTEM32>\reg.exe' ADD HKLM\SYSTEM\ControlSet001\Services\snapman64 /f /v "Type" /T REG_DWORD /D "1"
- '<SYSTEM32>\reg.exe' ADD HKLM\SYSTEM\ControlSet001\Services\snapman64 /f /v "Start" /T REG_DWORD /D "0"
- '<SYSTEM32>\reg.exe' ADD HKLM\SYSTEM\ControlSet001\Services\snapman64 /f /v "ImagePath" /T REG_SZ /D "System32\DRIVERS\snapman64.sys"
- '<SYSTEM32>\reg.exe' ADD HKLM\SYSTEM\ControlSet001\Services\snapman64 /f /v "ErrorControl" /T REG_DWORD /D "1"
- '<SYSTEM32>\reg.exe' ADD HKLM\SYSTEM\ControlSet001\Services\snapman64 /f /v "DisplayName" /T REG_SZ /D "Acronis Snapshot Manager"
- '<SYSTEM32>\sc.exe' start fltsrv64
- '<SYSTEM32>\sc.exe' create fltsrv64 type= kernel start= boot binpath= "System32\DRIVERS\fltsrv64.sys"
- '<SYSTEM32>\reg.exe' ADD HKLM\SYSTEM\ControlSet001\Services\fltsrv64 /f /v "Tag" /T REG_DWORD /D "2"
- '<SYSTEM32>\reg.exe' ADD HKLM\SYSTEM\ControlSet001\Services\fltsrv64 /f /v "Type" /T REG_DWORD /D "1"
- '<SYSTEM32>\reg.exe' ADD HKLM\SYSTEM\ControlSet001\Services\fltsrv64 /f /v "Start" /T REG_DWORD /D "0"
- '<SYSTEM32>\reg.exe' ADD HKLM\SYSTEM\ControlSet001\Services\fltsrv64 /f /v "ImagePath" /T REG_SZ /D "System32\DRIVERS\fltsrv64.sys"
- '<SYSTEM32>\reg.exe' ADD HKLM\SYSTEM\ControlSet001\Services\fltsrv64 /f /v "Group" /T REG_SZ /D "Filter"
- '<SYSTEM32>\reg.exe' ADD HKLM\SYSTEM\ControlSet001\Services\fltsrv64 /f /v "DisplayName" /T REG_SZ /D "Acronis Storage Filter Management"
- '<SYSTEM32>\reg.exe' ADD HKLM\SYSTEM\ControlSet001\Services\fltsrv64 /f /v "ErrorControl" /T REG_DWORD /D "0"
- '<SYSTEM32>\cmd.exe' /c copy "fltsrv64.sys" <DRIVERS>\fltsrv64.sys /Y
- '<SYSTEM32>\cmd.exe' /c copy "snapman64.sys" <DRIVERS>\snapman64.sys /Y
- '%WINDIR%\syswow64\reg.exe' Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /f /v "RegisteredOwner" /t REG_SZ /d "ĐГ¬nh PhГєc"
- '<SYSTEM32>\reg.exe' ADD HKLM\SOFTWARE\Wow6432Node\Acronis\TrueImageHome\Settings /f /v "ServiceDir" /T REG_SZ /D "
- '<SYSTEM32>\reg.exe' Add HKLM\Software\WOW6432node\Acronis /f /v "language" /T REG_DWORD /D "1"