onlinecentralstore.com

By Pig, January 29, 2010

onlinecentralstore.com
onlinecentralstore.com 193.105.0.60
76.191.104.55 76.191.104.55
Opened listening TCP connection on port: 28976
Opened listening TCP connection on port: 37660
Download URLs
http://193.105.0.60/pemperem.bin (onlinecentralstore.com)
http://193.105.0.60/pemperem.bin (onlinecentralstore.com)
http://193.105.0.60/ononnono.exe (onlinecentralstore.com)
Outgoing connection to remote server: onlinecentralstore.com TCP port 80
Outgoing connection to remote server: onlinecentralstore.com TCP port 80
Outgoing connection to remote server: 76.191.104.55 TCP port 443
Outgoing connection to remote server: onlinecentralstore.com TCP port 80
Outgoing connection to remote server: onlinecentralstore.com TCP port 80
Outgoing connection to remote server: onlinecentralstore.com TCP port 80
Outgoing connection to remote server: onlinecentralstore.com TCP port 80
Outgoing connection to remote server: onlinecentralstore.com TCP port 80
Outgoing connection to remote server: onlinecentralstore.com TCP port 80
Outgoing connection to remote server: 76.191.104.55 TCP port 443

Registry Changes by all processes
Create or Open
Changes HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon “userinit” = C:WINDOWSsystem32userinit.exe,C:WINDOWSsystem32sdra64.exe,
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosofteappcfg “LogSessionName” = [REG_EXPAND_SZ, value: stdout]
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosofteappcfg “Active” = [REG_DWORD, value: 00000001]
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosofteappcfg “ControlFlags” = [REG_DWORD, value: 00000001]
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosofteappcfgtraceIdentifier “Guid” = 5f31090b-d990-4e91-b16d-46121d0255aa
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosofteappcfgtraceIdentifier “BitNames” = Error Unusual Info Debug
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosofteappprxy “LogSessionName” = [REG_EXPAND_SZ, value: stdout]
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosofteappprxy “Active” = [REG_DWORD, value: 00000001]
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosofteappprxy “ControlFlags” = [REG_DWORD, value: 00000001]
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosofteappprxytraceIdentifier “Guid” = 5f31090b-d990-4e91-b16d-46121d0255aa
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosofteappprxytraceIdentifier “BitNames” = Error Unusual Info Debug
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosoftQUtil “LogSessionName” = [REG_EXPAND_SZ, value: stdout]
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosoftQUtil “Active” = [REG_DWORD, value: 00000001]
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosoftQUtil “ControlFlags” = [REG_DWORD, value: 00000001]
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosoftQUtiltraceIdentifier “Guid” = 8aefce96-4618-42ff-a057-3536aa78233e
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosoftQUtiltraceIdentifier “BitNames” = Error Unusual Info Debug
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesEventlogApplicationESENT “EventMessageFile” = [REG_EXPAND_SZ, value: C:WINDOWSsystem32ESENT.dll]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesEventlogApplicationESENT “CategoryMessageFile” = [REG_EXPAND_SZ, value: C:WINDOWSsystem32ESENT.dll]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesEventlogApplicationESENT “CategoryCount” = [REG_DWORD, value: 00000010]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesEventlogApplicationESENT “TypesSupported” = [REG_DWORD, value: 00000007]
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6} “{3039636B-5F3D-6C64-6675-696870667265}” = [REG_BINARY, size: 4 bytes]
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6} “{33373039-3132-3864-6B30-303233343434}” = [REG_BINARY, size: 4 bytes]
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6} “{6E633338-267E-2A79-6830-386668666866}” = [REG_BINARY, size: 4 bytes]
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{9D719E4E-0E1B-FC8C-68A6-E16CED23FACC} “{3039636B-5F3D-6C64-6675-696870667265}” = [REG_BINARY, size: 4 bytes]
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{9D719E4E-0E1B-FC8C-68A6-E16CED23FACC} “{33373039-3132-3864-6B30-303233343434}” = [REG_BINARY, size: 4 bytes]
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{9D719E4E-0E1B-FC8C-68A6-E16CED23FACC} “{6E633338-267E-2A79-6830-386668666866}” = [REG_BINARY, size: 4 bytes]
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{DBE712F1-D373-9699-3F49-FF4DB6C2241A} “{3039636B-5F3D-6C64-6675-696870667265}” = [REG_BINARY, size: 4 bytes]
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{DBE712F1-D373-9699-3F49-FF4DB6C2241A} “{33373039-3132-3864-6B30-303233343434}” = [REG_BINARY, size: 4 bytes]
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{DBE712F1-D373-9699-3F49-FF4DB6C2241A} “{6E633338-267E-2A79-6830-386668666866}” = [REG_BINARY, size: 4 bytes]
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{19127AD2-394B-70F5-C650-B97867BAA1F7} “{23343233-2C66-3B33-3432-343233343233}” = [REG_BINARY, size: 4 bytes]
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{19127AD2-394B-70F5-C650-B97867BAA1F7} “{120EDA34-3558-6346-03CE-BBBA64B3339B}” = [REG_BINARY, size: 4 bytes]
Reads HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon “userinit”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftESENTProcesssvchostDEBUG “Trace Level”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftESENTGlobalDEBUG “Trace Level”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCryptography “MachineGuid”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlNetwork{4D36E972-E325-11CE-BFC1-08002BE10318}{5D19E473-BE30-416B-B5C7-D8A091C41D2F}Connection “Name”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6} “{33373039-3132-3864-6B30-303233343434}”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6} “{21212130-2D30-3D39-2D30-3D3233343334}”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6} “{33323038-2829-5F2A-3039-333033333333}”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6} “{6E633338-267E-2A79-6830-386668666866}”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{9D719E4E-0E1B-FC8C-68A6-E16CED23FACC} “{33373039-3132-3864-6B30-303233343434}”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{9D719E4E-0E1B-FC8C-68A6-E16CED23FACC} “{21212130-2D30-3D39-2D30-3D3233343334}”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{9D719E4E-0E1B-FC8C-68A6-E16CED23FACC} “{33323038-2829-5F2A-3039-333033333333}”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{9D719E4E-0E1B-FC8C-68A6-E16CED23FACC} “{6E633338-267E-2A79-6830-386668666866}”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcSecurityService “DefaultAuthLevel”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{DBE712F1-D373-9699-3F49-FF4DB6C2241A} “{33373039-3132-3864-6B30-303233343434}”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{DBE712F1-D373-9699-3F49-FF4DB6C2241A} “{21212130-2D30-3D39-2D30-3D3233343334}”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{DBE712F1-D373-9699-3F49-FF4DB6C2241A} “{33323038-2829-5F2A-3039-333033333333}”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{DBE712F1-D373-9699-3F49-FF4DB6C2241A} “{6E633338-267E-2A79-6830-386668666866}”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftOle “DefaultLaunchPermission”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftOle “MachineLaunchRestriction”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftOle “MachineAccessRestriction”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftOle “ActivationFailureLoggingLevel”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftOle “CallFailureLoggingLevel”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftOle “InvalidSecurityDescriptorLoggingLevel”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftOle “DisableActivationSecurityCheck”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpc “DCOM Security”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftOle “EnableDCOM”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftOle “EnableDCOMHTTP”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftOle “IgnoreServerExceptions”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftOle “BreakOnSilencedServerExceptions”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftOle “LegacyAuthenticationService”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftOle “LegacyAuthenticationLevel”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftOle “LegacyImpersonationLevel”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftOle “LegacyMutualAuthentication”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftOle “LegacySecureReferences”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftOle “UseSharedWowVDM”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftOle “MaxActivationRetriesPerServer”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftOle “PreferUnsecureActivation”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon “AllowMultipleTSSessions”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlTerminal ServerLicensing Core “EnableConcurrentSessions”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6} “{3039636B-5F3D-6C64-6675-696870667265}”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{DBE712F1-D373-9699-3F49-FF4DB6C2241A} “{3039636B-5F3D-6C64-6675-696870667265}”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{19127AD2-394B-70F5-C650-B97867BAA1F7} “{120EDA34-3558-6346-03CE-BBBA64B3339B}”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{19127AD2-394B-70F5-C650-B97867BAA1F7} “{21323133-4B4A-686E-646B-6D6E69686A64}”
HKEY_LOCAL_MACHINESYSTEMWPAMediaCenter “Installed”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesSharedAccessParametersFirewallPolicyStandardProfile “EnableFirewall”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionNetwork “UID”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{19127AD2-394B-70F5-C650-B97867BAA1F7} “{506F704F-704F-3033-2D33-333331313131}”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{19127AD2-394B-70F5-C650-B97867BAA1F7} “{23343233-2C66-3B33-3432-343233343233}”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionNetwork “UID”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows SearchGathering Manager “BackoffOnUserActivityInterval1”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows SearchGathering Manager “BackoffOnUserActivityInterval2”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows SearchGathering Manager “DebugFilters”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows SearchGathering Manager “ObsoleteTempFilesAge”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows SearchGathering Manager “FilterDaemonMsToIdle”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows SearchGathering Manager “ConnectTimeout”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows SearchGathering Manager “DataTimeout”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows SearchGathering Manager “UseProxy”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows SearchGathering Manager “LocalByPassProxy”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows SearchGathering Manager “PortNumber”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows SearchGathering Manager “ProxyName”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows SearchGathering Manager “ByPassList”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows SearchProtocolHandlersFile “ProgID”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows SearchProtocolHandlersFile “Prefix”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows SearchProtocolHandlers “Mapi”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows SearchGatherWindowsSystemIndexProtocolsMapi “LogLevel.MAPI”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsWindows SearchPreferences “PreventIndexingOutlook”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows SearchProtocolHandlers “OutlookExpress”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows SearchProtocolHandlers “OTFS”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows SearchGatherWindowsSystemIndexProtocolsMapi “LogLevel.UNCFATPHLog”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows SearchGathering Manager “MaxGrowFactor”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows SearchGathering Manager “PerformanceLevel”
HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionNetwork “UID”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows SearchGathering Manager “MaxMSinFilter”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon “userinit”
Enums HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows SearchProtocolHandlers
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows SearchProtocolHandlersFile
HKEY_CURRENT_USERIdentities

File Changes by all processes
New Files C:WINDOWSsystem32sdra64.exe
DeviceTcp
DeviceIp
DeviceIp
DeviceRasAcd
DeviceTcp6
DeviceNetBT_Tcpip_{5D19E473-BE30-416B-B5C7-D8A091C41D2F}
C:WINDOWSsystem32lowsecuser.ds.lll
C:WINDOWSsystem32lowseclocal.ds
C:WINDOWSsystem32lowsecuser.ds.lll
C:WINDOWSTEMP1F.tmp
.pipe_AVIRA_2108
C:WINDOWSsystem32sdra64.exe
Opened Files .PIPElsarpc
C:WINDOWSsystem32sdra64.exe
C:WINDOWSsystem32ntdll.dll
c:autoexec.bat
.PIPEROUTER
.Ip
.Ip6
.pipe_AVIRA_2108
.pipe_AVIRA_2109
C:WINDOWSsystem32lowseclocal.ds
C:WINDOWSAppPatchsysmain.sdb
C:WINDOWSAppPatchsystest.sdb
DeviceNamedPipeShimViewer
C:WINDOWSTEMP
.PIPElsarpc
.PIPElsarpc
.PIPElsarpc
.PIPElsarpc
.PIPElsarpc
.PIPElsarpc
.PIPElsarpc
.PIPElsarpc
.PIPElsarpc
.PIPElsarpc
.pipe_AVIRA_2108
C:WINDOWSRegistrationR000000000007.clb
c:Dokumente und EinstellungenAdministratorntuser.ini
.PIPElsarpc
.pipe_AVIRA_2108
C:WINDOWSRegistrationR000000000007.clb
.PIPElsarpc
.pipe_AVIRA_2109
C:WINDOWSsystem32sdra64.exe
C:WINDOWSsystem32ntdll.dll
Deleted Files C:WINDOWSsystem32sdra64.exe
C:WINDOWSsystem32lowseclocal.ds
C:WINDOWSsystem32lowsecuser.ds.lll
C:Dokumente und EinstellungenAll UsersAnwendungsdatenMicrosoftSearchDataTempusgthrsvcPerflib_Perfdata_7cc.dat
C:WINDOWSsystem32sdra64.exe
Chronological Order Open File: .PIPElsarpc (OPEN_EXISTING)
Set File Attributes: C:WINDOWSsystem32sdra64.exe Flags: (FILE_ATTRIBUTE_ARCHIVE SECURITY_ANONYMOUS)
Delete File: C:WINDOWSsystem32sdra64.exe
Copy File: c:ononnono.exe to C:WINDOWSsystem32sdra64.exe
Set File Attributes: C:WINDOWSsystem32sdra64.exe Flags: (FILE_ATTRIBUTE_ARCHIVE FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS)
Open File: C:WINDOWSsystem32sdra64.exe (OPEN_EXISTING)
Open File: C:WINDOWSsystem32ntdll.dll (OPEN_EXISTING)
Set File Time: C:WINDOWSsystem32sdra64.exe
Set File Attributes: C:WINDOWSsystem32sdra64.exe Flags: (FILE_ATTRIBUTE_ARCHIVE FILE_ATTRIBUTE_READONLY SECURITY_ANONYMOUS)
Get File Attributes: c:autoexec.bat Flags: (SECURITY_ANONYMOUS)
Open File: c:autoexec.bat (OPEN_EXISTING)
Find File: C:Dokumente und EinstellungenAll UsersAnwendungsdatenMicrosoftNetworkConnectionsPbk*.pbk
Find File: C:WINDOWSsystem32Ras*.pbk
Open File: .PIPEROUTER (OPEN_EXISTING)
Create/Open File: DeviceTcp (OPEN_ALWAYS)
Create/Open File: DeviceIp (OPEN_ALWAYS)
Create/Open File: DeviceIp (OPEN_ALWAYS)
Open File: .Ip (OPEN_EXISTING)
Find File: C:WINDOWSsystem32configsystemprofileAnwendungsdatenMicrosoftNetworkConnectionsPbk*.pbk
Create/Open File: DeviceRasAcd (OPEN_ALWAYS)
Create/Open File: DeviceTcp6 (OPEN_ALWAYS)
Create/Open File: DeviceNetBT_Tcpip_{5D19E473-BE30-416B-B5C7-D8A091C41D2F} (OPEN_ALWAYS)
Open File: .Ip6 (OPEN_EXISTING)
Open File: .pipe_AVIRA_2108 (OPEN_EXISTING)
Find File: C:WINDOWSsystem32lowsecuser.ds.lll
Find File: C:WINDOWSsystem32lowsecuser.ds
Open File: .pipe_AVIRA_2109 (OPEN_EXISTING)
Move File: C:WINDOWSsystem32lowsecuser.ds to C:WINDOWSsystem32lowsecuser.ds.lll
Open File: C:WINDOWSsystem32lowseclocal.ds (OPEN_EXISTING)
Set File Attributes: C:WINDOWSsystem32lowsec Flags: (FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS)
Set File Attributes: C:WINDOWSsystem32lowseclocal.ds Flags: (FILE_ATTRIBUTE_ARCHIVE SECURITY_ANONYMOUS)
Delete File: C:WINDOWSsystem32lowseclocal.ds
Create File: C:WINDOWSsystem32lowseclocal.ds
Create/Open File: C:WINDOWSsystem32lowsecuser.ds.lll (OPEN_ALWAYS)
Set File Attributes: C:WINDOWSsystem32lowsecuser.ds.lll Flags: (FILE_ATTRIBUTE_ARCHIVE SECURITY_ANONYMOUS)
Delete File: C:WINDOWSsystem32lowsecuser.ds.lll
Create File: C:WINDOWSTEMP1F.tmp
Open File: C:WINDOWSAppPatchsysmain.sdb (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsystest.sdb (OPEN_EXISTING)
Open File: DeviceNamedPipeShimViewer (OPEN_EXISTING)
Open File: C:WINDOWSTEMP ()
Find File: C:WINDOWSTemp1F.tmp
Open File: .PIPElsarpc (OPEN_EXISTING)
Create NamedPipe: .pipe_AVIRA_2108
Open File: .PIPElsarpc (OPEN_EXISTING)
Open File: .PIPElsarpc (OPEN_EXISTING)
Open File: .PIPElsarpc (OPEN_EXISTING)
Open File: .PIPElsarpc (OPEN_EXISTING)
Open File: .PIPElsarpc (OPEN_EXISTING)
Open File: .PIPElsarpc (OPEN_EXISTING)
Open File: .PIPElsarpc (OPEN_EXISTING)
Open File: .PIPElsarpc (OPEN_EXISTING)
Open File: .PIPElsarpc (OPEN_EXISTING)
Open File: .pipe_AVIRA_2108 (OPEN_EXISTING)
Find File: C:Dokumente und EinstellungenAll UsersAnwendungsdatenMicrosoftSearchDataTempusgthrsvc*.*
Delete File: C:Dokumente und EinstellungenAll UsersAnwendungsdatenMicrosoftSearchDataTempusgthrsvcPerflib_Perfdata_7cc.dat
Get File Attributes: C:WINDOWSRegistration Flags: (SECURITY_ANONYMOUS)
Open File: C:WINDOWSRegistrationR000000000007.clb (OPEN_EXISTING)
Open File: c:Dokumente und EinstellungenAdministratorntuser.ini (OPEN_EXISTING)
Open File: .PIPElsarpc (OPEN_EXISTING)
Open File: .pipe_AVIRA_2108 (OPEN_EXISTING)
Get File Attributes: C:WINDOWSRegistration Flags: (SECURITY_ANONYMOUS)
Open File: C:WINDOWSRegistrationR000000000007.clb (OPEN_EXISTING)
Open File: .PIPElsarpc (OPEN_EXISTING)
Open File: .pipe_AVIRA_2109 (OPEN_EXISTING)
Set File Attributes: C:WINDOWSsystem32sdra64.exe Flags: (FILE_ATTRIBUTE_ARCHIVE SECURITY_ANONYMOUS)
Delete File: C:WINDOWSsystem32sdra64.exe
Copy File: C:WINDOWSTEMP1F.tmp to C:WINDOWSsystem32sdra64.exe
Set File Attributes: C:WINDOWSsystem32sdra64.exe Flags: (FILE_ATTRIBUTE_ARCHIVE FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS)
Open File: C:WINDOWSsystem32sdra64.exe (OPEN_EXISTING)
Open File: C:WINDOWSsystem32ntdll.dll (OPEN_EXISTING)
Set File Time: C:WINDOWSsystem32sdra64.exe
Set File Attributes: C:WINDOWSsystem32sdra64.exe Flags: (FILE_ATTRIBUTE_ARCHIVE FILE_ATTRIBUTE_READONLY SECURITY_ANONYMOUS)

Categories: Uncategorized