Technical Information
- [<HKLM>\SYSTEM\ControlSet001\Services\fltsrv] 'Start' = '00000000'
- [<HKLM>\SYSTEM\ControlSet001\Services\fltsrv] 'ImagePath' = 'system32\DRIVERS\fltsrv.sys'
- [<HKLM>\System\CurrentControlSet\Services\fltsrv] 'Start' = '00000000'
- [<HKLM>\System\CurrentControlSet\Services\fltsrv] 'ImagePath' = 'System32\DRIVERS\fltsrv.sys'
- [<HKLM>\SYSTEM\ControlSet001\Services\snapman] 'Start' = '00000000'
- [<HKLM>\SYSTEM\ControlSet001\Services\snapman] 'ImagePath' = 'system32\DRIVERS\snapman.sys'
- [<HKLM>\System\CurrentControlSet\Services\snapman] 'Start' = '00000000'
- [<HKLM>\System\CurrentControlSet\Services\snapman] 'ImagePath' = 'System32\DRIVERS\snapman.sys'
- [<HKLM>\SYSTEM\ControlSet001\Services\volume_tracker] 'Start' = '00000000'
- [<HKLM>\SYSTEM\ControlSet001\Services\volume_tracker] 'ImagePath' = 'system32\DRIVERS\volume_tracker.sys'
- [<HKLM>\System\CurrentControlSet\Services\volume_tracker] 'Start' = '00000000'
- [<HKLM>\System\CurrentControlSet\Services\volume_tracker] 'ImagePath' = 'System32\DRIVERS\volume_tracker.sys'
- 'fltsrv' System32\DRIVERS\fltsrv.sys
- 'snapman' System32\DRIVERS\snapman.sys
- 'volume_tracker' System32\DRIVERS\volume_tracker.sys
- %TEMP%\4c5b.tmp\4c6b.tmp\4c6c.bat
- nul
- '<SYSTEM32>\cmd.exe' /c "%TEMP%\4C5B.tmp\4C6B.tmp\4C6C.bat <Full path to file>"' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c "%TEMP%\4C5B.tmp\4C6B.tmp\4C6C.bat <Full path to file>"
- '<SYSTEM32>\reg.exe' ADD HKLM\SOFTWARE\Acronis\Commoncomponents /F /V "pcs_io.dll" /T REG_SZ /D "pcs_io.dll"
- '<SYSTEM32>\reg.exe' ADD HKLM\SOFTWARE\Acronis\Commoncomponents /F /V "disk_backup.dll" /T REG_SZ /D "disk_backup.dll"
- '<SYSTEM32>\reg.exe' ADD HKLM\SOFTWARE\Acronis\Commoncomponents /F /V "archive3_adapter.dll" /T REG_SZ /D "archive3_adapter.dll"
- '<SYSTEM32>\reg.exe' ADD HKLM\SOFTWARE\Acronis\Commoncomponents /F /V "re2.dll" /T REG_SZ /D "re2.dll"
- '<SYSTEM32>\reg.exe' ADD HKLM\SOFTWARE\Acronis\Commoncomponents /F /V "rpc_client.dll" /T REG_SZ /D "rpc_client.dll"
- '<SYSTEM32>\reg.exe' ADD HKLM\SOFTWARE\Acronis\Commoncomponents /F /V "astor_client.dll" /T REG_SZ /D "astor_client.dll"
- '<SYSTEM32>\reg.exe' ADD HKLM\SOFTWARE\Acronis\Commoncomponents /F /V "kb_link.dll" /T REG_SZ /D "kb_link.dll"
- '<SYSTEM32>\reg.exe' ADD HKLM\SOFTWARE\Acronis\Commoncomponents /F /V "file_backup.dll" /T REG_SZ /D "file_backup.dll"
- '<SYSTEM32>\reg.exe' ADD HKLM\SOFTWARE\Acronis\Commoncomponents /F /V "winpthreads4.dll" /T REG_SZ /D "winpthreads4.dll"
- '<SYSTEM32>\reg.exe' ADD HKLM\SOFTWARE\Acronis\Commoncomponents /F /V "archive3.dll" /T REG_SZ /D "archive3.dll"
- '<SYSTEM32>\reg.exe' ADD HKLM\SOFTWARE\Acronis\Commoncomponents /F /V "thread_pool.dll" /T REG_SZ /D "thread_pool.dll"
- '<SYSTEM32>\reg.exe' ADD HKLM\SOFTWARE\Acronis\Commoncomponents /F /V "mspack.dll" /T REG_SZ /D "mspack.dll"
- '<SYSTEM32>\reg.exe' ADD HKLM\SOFTWARE\Acronis\Commoncomponents /F /V "libcrypto10.dll" /T REG_SZ /D "libcrypto10.dll"
- '<SYSTEM32>\reg.exe' ADD HKLM\SOFTWARE\Acronis\Commoncomponents /F /V "resource.dll" /T REG_SZ /D "resource.dll"
- '<SYSTEM32>\sc.exe' start volume_tracker
- '<SYSTEM32>\sc.exe' create volume_tracker type= kernel start= boot binpath= "System32\DRIVERS\volume_tracker.sys"
- '<SYSTEM32>\reg.exe' add HKLM\SYSTEM\ControlSet001\Services\volume_tracker /f /v "Group" /t REG_SZ /d "PnP Filter"
- '<SYSTEM32>\reg.exe' add HKLM\SYSTEM\ControlSet001\Services\volume_tracker /f /v "DisplayName" /t REG_SZ /d "Acronis Volume Tracker"
- '<SYSTEM32>\reg.exe' ADD HKLM\SOFTWARE\Acronis\Commoncomponents /F /V "libssl10.dll" /T REG_SZ /D "libssl10.dll"
- '<SYSTEM32>\reg.exe' ADD HKLM\SOFTWARE\Acronis\Commoncomponents /F /V "boot_assist.dll" /T REG_SZ /D "boot_assist.dll"
- '<SYSTEM32>\reg.exe' ADD HKLM\SOFTWARE\Acronis\Commoncomponents /F /V "zstd.dll" /T REG_SZ /D "zstd.dll"
- '<SYSTEM32>\reg.exe' ADD HKLM\SOFTWARE\Acronis\BackupAndRecovery\Commoncomponents /F /V "libcrypto10.dll" /T REG_SZ /D "libcrypto10.dll"
- '<SYSTEM32>\reg.exe' ADD HKLM\SOFTWARE\Acronis\TrueImageHome\Settings /f /v "ServiceDir" /T REG_SZ /D ""
- '<SYSTEM32>\reg.exe' ADD HKLM\SOFTWARE\Acronis\Trueimage /F /V "standard" /T REG_SZ /D " 12108 0 31109 12 24 0120 3 7 31 98 23 0 18 13120 18 6 97 27 2 1 16109120 5109 17 17 31 29 98 3120 97 4 7 13 12 3...
- '<SYSTEM32>\reg.exe' ADD HKLM\SOFTWARE\Acronis\Commoncomponents /F /V "TrueImage.exe" /T REG_SZ /D "TrueImage.exe"
- '<SYSTEM32>\reg.exe' ADD HKLM\SOFTWARE\Acronis\Commoncomponents /F /V "backup_worker.exe" /T REG_SZ /D "backup_worker.exe"
- '<SYSTEM32>\reg.exe' ADD HKLM\SOFTWARE\Acronis\Commoncomponents /F /V "auto_reactivate64.bin" /T REG_SZ /D "auto_reactivate64.bin"
- '<SYSTEM32>\reg.exe' ADD HKLM\SOFTWARE\Acronis\Commoncomponents /F /V "auto_reactivate.bin" /T REG_SZ /D "auto_reactivate.bin"
- '<SYSTEM32>\reg.exe' ADD HKLM\SOFTWARE\Acronis\Commoncomponents /F /V "spawn.exe" /T REG_SZ /D "spawn.exe"
- '<SYSTEM32>\reg.exe' ADD HKLM\SOFTWARE\Acronis\OnlineBackupStandalone\CommonComponents /F /V "rpc_client.dll" /T REG_SZ /D "rpc_client.dll"
- '<SYSTEM32>\reg.exe' ADD HKLM\SOFTWARE\Acronis\GlobalComponents /F /V "snapapi.dll" /T REG_SZ /D "snapapi.dll"
- '<SYSTEM32>\reg.exe' ADD HKLM\SOFTWARE\Acronis\GlobalComponents /F /V "volume_tracker_driver_api.dll" /T REG_SZ /D "volume_tracker_driver_api.dll"
- '<SYSTEM32>\reg.exe' ADD HKLM\SOFTWARE\Acronis\GlobalComponents /F /V "tib_api.dll" /T REG_SZ /D "tib_api.dll"
- '<SYSTEM32>\reg.exe' ADD HKLM\SOFTWARE\Acronis\GlobalComponents /F /V "tib_mounter.dll" /T REG_SZ /D "tib_mounter.dll"
- '<SYSTEM32>\reg.exe' ADD HKLM\SOFTWARE\Acronis\GlobalComponents /F /V "ulxmlrpcpp.dll" /T REG_SZ /D "ulxmlrpcpp.dll"
- '<SYSTEM32>\reg.exe' ADD HKLM\SOFTWARE\Acronis\GlobalComponents /F /V "logging.dll" /T REG_SZ /D "logging.dll"
- '<SYSTEM32>\reg.exe' ADD HKLM\SOFTWARE\Acronis\GlobalComponents /F /V "icu38.dll" /T REG_SZ /D "icu38.dll"
- '<SYSTEM32>\reg.exe' ADD HKLM\SOFTWARE\Acronis\GlobalComponents /F /V "expat.dll" /T REG_SZ /D "expat.dll"
- '<SYSTEM32>\reg.exe' ADD HKLM\SOFTWARE\Acronis\BackupAndRecovery\Commoncomponents /F /V "resource.dll" /T REG_SZ /D "resource.dll"
- '<SYSTEM32>\reg.exe' ADD HKLM\SOFTWARE\Acronis\BackupAndRecovery\Commoncomponents /F /V "libssl10.dll" /T REG_SZ /D "libssl10.dll"
- '<SYSTEM32>\reg.exe' ADD HKLM\SOFTWARE\Acronis\BackupAndRecovery\Commoncomponents /F /V "thread_pool.dll" /T REG_SZ /D "thread_pool.dll"
- '<SYSTEM32>\reg.exe' add HKLM\SYSTEM\ControlSet001\Services\volume_tracker /f /v "ImagePath" /t REG_EXPAND_SZ /d "system32\DRIVERS\volume_tracker.sys"
- '<SYSTEM32>\reg.exe' QUERY "HKLM\SYSTEM\ControlSet001\Control" /v SystemStartOptions
- '<SYSTEM32>\reg.exe' add HKLM\SYSTEM\ControlSet001\Services\volume_tracker /f /v "Tag" /t REG_DWORD /d "8"
- '<SYSTEM32>\reg.exe' add HKLM\SYSTEM\ControlSet001\Services\volume_tracker /f /v "Start" /t REG_DWORD /d "0"
- '<SYSTEM32>\reg.exe' IMPORT %TEMP%\ATIH2021SV\ATIH2021ZC.reg
- '<SYSTEM32>\reg.exe' IMPORT %TEMP%\ATIH2021SV\ATIH2021ZB.reg
- '<SYSTEM32>\reg.exe' IMPORT %TEMP%\ATIH2021SV\ATIH2021ZY.reg
- '<SYSTEM32>\reg.exe' QUERY HKLM\SYSTEM\ControlSet001\Services\fltsrv /ve
- '<SYSTEM32>\reg.exe' QUERY HKLM\SYSTEM\ControlSet001\Services\snapman /ve
- '<SYSTEM32>\reg.exe' Delete "HKLM\SOFTWARE\Acronis\TrueImage" /f
- '<SYSTEM32>\reg.exe' Delete "HKLM\SOFTWARE\Acronis\CommonComponents" /f
- '<SYSTEM32>\reg.exe' QUERY "HKLM\SOFTWARE\Wow6432node\Wow6432node\Acronis\Trueimage"
- '<SYSTEM32>\reg.exe' IMPORT %TEMP%\ATIH2021SV\fltsrv2.reg
- '<SYSTEM32>\reg.exe' EXPORT "HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}" %TEMP%\ATIH2021SV\0fltsrv.reg /y
- '<SYSTEM32>\reg.exe' QUERY "HKLM\SYSTEM\ControlSet001\Control\Class\{53966cb1-4d46-4166-bf23-c522403cd495}" /v "UpperFilters"
- '<SYSTEM32>\reg.exe' QUERY "HKLM\SYSTEM\ControlSet001\Control\Class\{53487c23-680f-4585-acc3-1f10d6777e82}" /v "UpperFilters"
- '<SYSTEM32>\reg.exe' QUERY "HKLM\SYSTEM\ControlSet001\Services\volume_tracker"
- '<SYSTEM32>\reg.exe' QUERY "HKLM\SYSTEM\ControlSet001\Services\snapman"
- '<SYSTEM32>\reg.exe' QUERY "HKLM\SYSTEM\ControlSet001\Services\fltsrv"
- '<SYSTEM32>\reg.exe' QUERY "HKLM\SOFTWARE\Wow6432node\Wow6432node\Acronis"
- '<SYSTEM32>\reg.exe' QUERY "HKLM\SOFTWARE\Wow6432node\Acronis"
- '<SYSTEM32>\reg.exe' QUERY "HKLM\SOFTWARE\Acronis\TrueImage"
- '<SYSTEM32>\reg.exe' QUERY "HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}" /v "UpperFilters"
- '<SYSTEM32>\reg.exe' IMPORT %TEMP%\ATIH2021SV\snapman2.reg
- '<SYSTEM32>\reg.exe' IMPORT %TEMP%\ATIH2021SV\volume_tracker2.reg
- '<SYSTEM32>\reg.exe' IMPORT %TEMP%\ATIH2021SV\UpperFilters2.reg
- '<SYSTEM32>\reg.exe' add HKLM\SYSTEM\ControlSet001\Services\volume_tracker /f /v "Type" /t REG_DWORD /d "1"
- '<SYSTEM32>\sc.exe' start snapman
- '<SYSTEM32>\sc.exe' create snapman type= kernel start= boot binpath= "System32\DRIVERS\snapman.sys"
- '<SYSTEM32>\reg.exe' add HKLM\SYSTEM\ControlSet001\Services\snapman /f /v "DisplayName" /t REG_SZ /d "Acronis Snapshots Manager"
- '<SYSTEM32>\reg.exe' add HKLM\SYSTEM\ControlSet001\Services\snapman /f /v "ImagePath" /t REG_EXPAND_SZ /d "system32\DRIVERS\snapman.sys"
- '<SYSTEM32>\reg.exe' add HKLM\SYSTEM\ControlSet001\Services\snapman /f /v "ErrorControl" /t REG_DWORD /d "1"
- '<SYSTEM32>\reg.exe' add HKLM\SYSTEM\ControlSet001\Services\snapman /f /v "Start" /t REG_DWORD /d "0"
- '<SYSTEM32>\reg.exe' add HKLM\SYSTEM\ControlSet001\Services\snapman /f /v "Type" /t REG_DWORD /d "1"
- '<SYSTEM32>\sc.exe' start fltsrv
- '<SYSTEM32>\sc.exe' create fltsrv type= kernel start= boot binpath= "System32\DRIVERS\fltsrv.sys"
- '<SYSTEM32>\reg.exe' add HKLM\SYSTEM\ControlSet001\Services\fltsrv /f /v "Group" /t REG_SZ /d "Filter"
- '<SYSTEM32>\reg.exe' add HKLM\SYSTEM\ControlSet001\Services\fltsrv /f /v "DisplayName" /t REG_SZ /d "Acronis Storage Filter Management"
- '<SYSTEM32>\reg.exe' add HKLM\SYSTEM\ControlSet001\Services\fltsrv /f /v "ImagePath" /t REG_EXPAND_SZ /d "system32\DRIVERS\fltsrv.sys"
- '<SYSTEM32>\reg.exe' add HKLM\SYSTEM\ControlSet001\Services\fltsrv /f /v "Tag" /t REG_DWORD /d "2"
- '<SYSTEM32>\reg.exe' add HKLM\SYSTEM\ControlSet001\Services\fltsrv /f /v "ErrorControl" /t REG_DWORD /d "1"
- '<SYSTEM32>\reg.exe' add HKLM\SYSTEM\ControlSet001\Services\fltsrv /f /v "Start" /t REG_DWORD /d "0"
- '<SYSTEM32>\reg.exe' add HKLM\SYSTEM\ControlSet001\Services\fltsrv /f /v "Type" /t REG_DWORD /d "1"
- '<SYSTEM32>\reg.exe' IMPORT %TEMP%\ATIH2021SV\0fltsrv2.reg
- '<SYSTEM32>\reg.exe' IMPORT %TEMP%\ATIH2021SV\partmgr2.reg
- '<SYSTEM32>\reg.exe' add HKLM\SYSTEM\ControlSet001\Services\volume_tracker /f /v "ErrorControl" /t REG_DWORD /d "1"
- '<SYSTEM32>\find.exe' /i "MININT"