Sample viewer

vx.netlux.org/Trojan.DOS.QHA.e

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-17T22:56:41.241538448Z	48	PC: 17efe \| Get DOS version
2018-12-17T22:56:41.243489432Z	74	PC: 17f4e \| Reallocate memory
2018-12-17T22:56:41.244988359Z	48	PC: 17d0c \| Get DOS version
2018-12-17T22:56:41.245984705Z	53	PC: 17d14 \| Get interrupt vector (Interrupt = '0' AKA 'Program terminate')
2018-12-17T22:56:41.247145752Z	37	PC: 17d26 \| Set interrupt vector (Interrupt = '0' AKA 'Program terminate')
2018-12-17T22:56:41.249171733Z	68	PC: 17db7 \| I/O control for devices (Set for = '�<')
2018-12-17T22:56:41.250315415Z	68	PC: 17db7 \| I/O control for devices
2018-12-17T22:56:41.251436738Z	68	PC: 17db7 \| I/O control for devices
2018-12-17T22:56:41.257441717Z	68	PC: 17db7 \| I/O control for devices
2018-12-17T22:56:41.258753051Z	68	PC: 17db7 \| I/O control for devices
2018-12-17T22:56:41.260296029Z	53	PC: 15b4c \| Get interrupt vector (Interrupt = '0' AKA 'Program terminate')
2018-12-17T22:56:41.26201348Z	53	PC: 15b59 \| Get interrupt vector (Interrupt = '4' AKA 'Auxiliary output')
2018-12-17T22:56:41.26325247Z	53	PC: 15b66 \| Get interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-17T22:56:41.26437779Z	37	PC: 15b7b \| Set interrupt vector (Interrupt = '0' AKA 'Program terminate')
2018-12-17T22:56:41.266417454Z	37	PC: 15b83 \| Set interrupt vector (Interrupt = '4' AKA 'Auxiliary output')
2018-12-17T22:56:41.267506363Z	37	PC: 15b8b \| Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-17T22:56:41.268738841Z	53	PC: 160c4 \| Get interrupt vector (Interrupt = '239' AKA 'UNKNOWN!')
2018-12-17T22:56:41.270335971Z	53	PC: 160d1 \| Get interrupt vector (Interrupt = '240' AKA 'UNKNOWN!')
2018-12-17T22:56:41.271730237Z	53	PC: 160e0 \| Get interrupt vector (Interrupt = '9' AKA 'Display string')
2018-12-17T22:56:41.272835557Z	37	PC: 160ed \| Set interrupt vector (Interrupt = '239' AKA 'UNKNOWN!')
2018-12-17T22:56:41.275434208Z	53	PC: 160f4 \| Get interrupt vector (Interrupt = '8' AKA 'Console input without echo')
2018-12-17T22:56:41.278157072Z	37	PC: 16101 \| Set interrupt vector (Interrupt = '240' AKA 'UNKNOWN!')
2018-12-17T22:56:41.27953235Z	53	PC: 1610d \| Get interrupt vector (Interrupt = '28' AKA 'Get allocation info for specified drive')
2018-12-17T22:56:41.282982822Z	48	PC: 161cf \| Get DOS version
2018-12-17T22:56:41.287510137Z	74	PC: 172e7 \| Reallocate memory
2018-12-17T22:56:41.28970173Z	74	PC: 172e7 \| Reallocate memory
2018-12-17T22:56:41.291656911Z	68	PC: 15ac2 \| I/O control for devices (Set for = 'c:\windows > NUL#')
2018-12-17T22:56:41.298321071Z	68	PC: 15ac2 \| I/O control for devices (Set for = '')
2018-12-17T22:56:41.299987147Z	51	PC: 15ae0 \| Get or set Ctrl-Break
2018-12-17T22:56:41.300960956Z	51	PC: 15aec \| Get or set Ctrl-Break
2018-12-17T22:56:41.304917259Z	61	PC: 13208 \| Open file (Filename = 'C:\WINDOWS\SYSTEM\QHA.PRT')
2018-12-17T22:56:41.320763409Z	60	PC: 130cd \| Create or truncate file
2018-12-17T22:56:41.665411712Z	62	PC: 147bf \| Close file
2018-12-17T22:56:41.669069356Z	61	PC: 13208 \| Open file (Filename = 'C:\WINDOWS\SYSTEM\QHA.PRT')
2018-12-17T22:56:41.67928578Z	68	PC: 13161 \| I/O control for devices (Set for = 'NUL"')
2018-12-17T22:56:41.68323136Z	66	PC: 14561 \| Move file pointer
2018-12-17T22:56:41.68815091Z	63	PC: 14788 \| Read file or device (Read 50 bytes on handle 5)
2018-12-17T22:56:41.69159703Z	62	PC: 147bf \| Close file
2018-12-17T22:56:41.694762679Z	25	PC: 12cdb \| Get default drive
2018-12-17T22:56:41.696935623Z	13	PC: 12ce0 \| Disk reset
2018-12-17T22:56:41.698913557Z	14	PC: 12ce7 \| Set default drive (Drive = 'A')
2018-12-17T22:56:41.706736115Z	74	PC: 172e7 \| Reallocate memory
2018-12-17T22:56:41.709305408Z	51	PC: 15af7 \| Get or set Ctrl-Break
2018-12-17T22:56:41.710467779Z	37	PC: 15d79 \| Set interrupt vector (Interrupt = '0' AKA 'Program terminate')
2018-12-17T22:56:41.712093964Z	37	PC: 15d83 \| Set interrupt vector (Interrupt = '4' AKA 'Auxiliary output')
2018-12-17T22:56:41.71399297Z	37	PC: 15d8d \| Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-17T22:56:41.715971093Z	53	PC: 14854 \| Get interrupt vector (Interrupt = '8' AKA 'Console input without echo')
2018-12-17T22:56:41.717773068Z	53	PC: 14861 \| Get interrupt vector (Interrupt = '28' AKA 'Get allocation info for specified drive')
2018-12-17T22:56:41.719587877Z	53	PC: 1486e \| Get interrupt vector (Interrupt = '9' AKA 'Display string')
2018-12-17T22:56:41.72176636Z	37	PC: 14889 \| Set interrupt vector (Interrupt = '28' AKA 'Get allocation info for specified drive')
2018-12-17T22:56:41.723530186Z	53	PC: 14891 \| Get interrupt vector (Interrupt = '239' AKA 'UNKNOWN!')
2018-12-17T22:56:41.725338485Z	37	PC: 1489e \| Set interrupt vector (Interrupt = '9' AKA 'Display string')
2018-12-17T22:56:41.727499447Z	53	PC: 148a5 \| Get interrupt vector (Interrupt = '240' AKA 'UNKNOWN!')
2018-12-17T22:56:41.728978106Z	37	PC: 148b2 \| Set interrupt vector (Interrupt = '8' AKA 'Console input without echo')
2018-12-17T22:56:41.730672111Z	37	PC: 148bc \| Set interrupt vector (Interrupt = '239' AKA 'UNKNOWN!')
2018-12-17T22:56:41.732773343Z	37	PC: 148c7 \| Set interrupt vector (Interrupt = '240' AKA 'UNKNOWN!')
2018-12-17T22:56:41.734296863Z	37	PC: 17e68 \| Set interrupt vector (Interrupt = '0' AKA 'Program terminate')
2018-12-17T22:56:41.736691122Z	41	PC: 17c01 \| Parse filename
2018-12-17T22:56:41.739595711Z	41	PC: 17c03 \| Parse filename
2018-12-17T22:56:41.74155562Z	41	PC: 17c08 \| Parse filename
2018-12-17T22:56:41.743788819Z	75	PC: 17c1e \| Execute program
2018-12-17T22:56:41.770083809Z	80	PC: 1af99 \| Set current PSP
2018-12-17T22:56:41.771963725Z	48	PC: 1af9e \| Get DOS version
2018-12-17T22:56:41.774259439Z	99	PC: 21780 \| Get DBCS lead byte table pointer
2018-12-17T22:56:41.77792231Z	101	PC: 1b024 \| Get extended country info
2018-12-17T22:56:41.779980204Z	99	PC: 1b02a \| Get DBCS lead byte table pointer
2018-12-17T22:56:41.787730809Z	74	PC: 1b08c \| Reallocate memory
2018-12-17T22:56:41.790544944Z	25	PC: 1b0c3 \| Get default drive
2018-12-17T22:56:41.791791296Z	37	PC: 1ab83 \| Set interrupt vector (Interrupt = '34' AKA 'Random write')
2018-12-17T22:56:41.792960248Z	37	PC: 1ab8a \| Set interrupt vector (Interrupt = '35' AKA 'Get file size in records')
2018-12-17T22:56:41.794176337Z	37	PC: 1ab91 \| Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-17T22:56:41.807053222Z	74	PC: 19d2c \| Reallocate memory
2018-12-17T22:56:41.809053529Z	72	PC: 19d6d \| Allocate memory
2018-12-17T22:56:41.811190523Z	72	PC: 19da5 \| Allocate memory
2018-12-17T22:56:41.813779004Z	72	PC: 19dad \| Allocate memory