Norman Sandbox: [ General information ]
* **IMPORTANT: PLEASE SEND THE SCANNED FILE TO:
[email protected] - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
* **Locates window \"NULL [class TAppBuilder]\" on desktop.
* File length: 711688 bytes.
[ Changes to filesystem ]
* Creates file C:\WINDOWS\SYSTEM32\FieleWay.txt.
* Creates file C:\WINDOWS\TEMP\SxKiller.sys.
[ Changes to registry ]
* Accesses Registry key \"HKCU\Software\Borland\Locales\".
* Accesses Registry key \"HKLM\Software\Borland\Locales\".
* Accesses Registry key \"HKCU\Software\Borland\Delphi\Locales\".
* Creates key \"HKLM\System\CurrentControlSet\Services\PspKiller\".
* Sets value \"ImagePath\"=\"C:\WINDOWS\TEMP\SxKiller.sys\" in key \"HKLM\System\CurrentControlSet\Services\PspKiller\".
* Sets value \"DisplayName\"=\"PspKiller\" in key \"HKLM\System\CurrentControlSet\Services\PspKiller\".
[ Process/window information ]
* Creates an event called .
* Creates service \"PspKiller (PspKiller)\" as \"C:\WINDOWS\TEMP\SxKiller.sys\".
* Installing kernel driver \"\Device\PspKiller\".
* Driver \"\Device\PspKiller\" hooks kernel IRP \"CREATE\".
* Driver \"\Device\PspKiller\" hooks kernel IRP \"CLOSE\".
* Driver \"\Device\PspKiller\" hooks kernel IRP \"DEVICE_CONTROL\".
* Enumerates running processes.
