Sample viewer

vx.netlux.org/Trojan.DOS.AHC

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-17T23:07:01.615990932Z	53	PC: 1612a \| Get interrupt vector (Interrupt = '0' AKA 'Program terminate')
2018-12-17T23:07:01.619031455Z	53	PC: 1612a \| Get interrupt vector (Interrupt = '2' AKA 'Character output')
2018-12-17T23:07:01.621003516Z	53	PC: 1612a \| Get interrupt vector (Interrupt = '27' AKA 'Get allocation info for default drive')
2018-12-17T23:07:01.622974425Z	53	PC: 1612a \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-17T23:07:01.625434312Z	53	PC: 1612a \| Get interrupt vector (Interrupt = '35' AKA 'Get file size in records')
2018-12-17T23:07:01.627044162Z	53	PC: 1612a \| Get interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-17T23:07:01.628579586Z	53	PC: 1612a \| Get interrupt vector (Interrupt = '52' AKA 'Get InDOS flag pointer')
2018-12-17T23:07:01.63038019Z	53	PC: 1612a \| Get interrupt vector (Interrupt = '53' AKA 'Get interrupt vector')
2018-12-17T23:07:01.632350037Z	53	PC: 1612a \| Get interrupt vector (Interrupt = '54' AKA 'Get free disk space')
2018-12-17T23:07:01.633924627Z	53	PC: 1612a \| Get interrupt vector (Interrupt = '55' AKA 'Get or set switch character')
2018-12-17T23:07:01.635469464Z	53	PC: 1612a \| Get interrupt vector (Interrupt = '56' AKA 'Get or set country info')
2018-12-17T23:07:01.637806547Z	53	PC: 1612a \| Get interrupt vector (Interrupt = '57' AKA 'Create subdirectory')
2018-12-17T23:07:01.641048821Z	53	PC: 1612a \| Get interrupt vector (Interrupt = '58' AKA 'Remove subdirectory')
2018-12-17T23:07:01.642985291Z	53	PC: 1612a \| Get interrupt vector (Interrupt = '59' AKA 'Change current directory')
2018-12-17T23:07:01.648713765Z	53	PC: 1612a \| Get interrupt vector (Interrupt = '60' AKA 'Create or truncate file')
2018-12-17T23:07:01.650470615Z	53	PC: 1612a \| Get interrupt vector (Interrupt = '61' AKA 'Open file')
2018-12-17T23:07:01.652935968Z	53	PC: 1612a \| Get interrupt vector (Interrupt = '62' AKA 'Close file')
2018-12-17T23:07:01.655748637Z	53	PC: 1612a \| Get interrupt vector (Interrupt = '63' AKA 'Read file or device')
2018-12-17T23:07:01.657655941Z	53	PC: 1612a \| Get interrupt vector (Interrupt = '117' AKA 'UNKNOWN!')
2018-12-17T23:07:01.659995253Z	37	PC: 1613f \| Set interrupt vector (Interrupt = '0' AKA 'Program terminate')
2018-12-17T23:07:01.662421376Z	37	PC: 16147 \| Set interrupt vector (Interrupt = '35' AKA 'Get file size in records')
2018-12-17T23:07:01.664764365Z	37	PC: 1614f \| Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-17T23:07:01.667022234Z	37	PC: 16157 \| Set interrupt vector (Interrupt = '63' AKA 'Read file or device')
2018-12-17T23:07:01.669641475Z	68	PC: 1709d \| I/O control for devices (Set for = '')
2018-12-17T23:07:01.7791806Z	37	PC: 15841 \| Set interrupt vector (Interrupt = '27' AKA 'Get allocation info for default drive')
2018-12-17T23:07:01.782492428Z	42	PC: 15dc7 \| Get date 0x15dc7: xor ah, ah 0x15dc9: les di, ptr [bp + 6] 0x15dcc: stosw word ptr es:[di], ax 0x15dcd: mov al, dl 0x15dcf: les di, ptr [bp + 0xa] 0x15dd2: stosw word ptr es:[di], ax 0x15dd3: mov al, dh 0x15dd5: les di, ptr [bp + 0xe] 0x15dd8: stosw word ptr es:[di], ax 0x15dd9: xchg ax, cx 0x15dda: les di, ptr [bp + 0x12] 0x15ddd: stosw word ptr es:[di], ax 0x15dde: pop bp 0x15ddf: retf 0x10 0x15de2: xchg bx, bx 0x15de4: push bp 0x15de5: mov bp, sp 0x15de7: mov cx, word ptr [bp + 0xa] 0x15dea: mov dh, byte ptr [bp + 8] 0x15ded: mov dl, byte ptr [bp + 6]
2018-12-17T23:07:01.786187376Z	44	PC: 15dff \| Get time 0x15dff: xor ah, ah 0x15e01: mov al, dl 0x15e03: les di, ptr [bp + 6] 0x15e06: stosw word ptr es:[di], ax 0x15e07: mov al, dh 0x15e09: les di, ptr [bp + 0xa] 0x15e0c: stosw word ptr es:[di], ax 0x15e0d: mov al, cl 0x15e0f: les di, ptr [bp + 0xe] 0x15e12: stosw word ptr es:[di], ax 0x15e13: mov al, ch 0x15e15: les di, ptr [bp + 0x12] 0x15e18: stosw word ptr es:[di], ax 0x15e19: pop bp 0x15e1a: retf 0x10 0x15e1d: xchg bx, bx 0x15e1f: nop 0x15e20: push bp 0x15e21: mov bp, sp 0x15e23: mov ch, byte ptr [bp + 0xc]
2018-12-17T23:07:01.78980441Z	54	PC: 15e42 \| Get free disk space
2018-12-17T23:07:01.844988945Z	54	PC: 15e42 \| Get free disk space
2018-12-17T23:07:01.84701843Z	54	PC: 15e42 \| Get free disk space
2018-12-17T23:07:01.849156126Z	53	PC: 160a4 \| Get interrupt vector (Interrupt = '0' AKA 'Program terminate')
2018-12-17T23:07:01.851746311Z	37	PC: 160ad \| Set interrupt vector (Interrupt = '0' AKA 'Program terminate')
2018-12-17T23:07:01.853321099Z	53	PC: 160a4 \| Get interrupt vector (Interrupt = '2' AKA 'Character output')
2018-12-17T23:07:01.854877414Z	37	PC: 160ad \| Set interrupt vector (Interrupt = '2' AKA 'Character output')
2018-12-17T23:07:01.857290578Z	53	PC: 160a4 \| Get interrupt vector (Interrupt = '27' AKA 'Get allocation info for default drive')
2018-12-17T23:07:01.858851457Z	37	PC: 160ad \| Set interrupt vector (Interrupt = '27' AKA 'Get allocation info for default drive')
2018-12-17T23:07:01.860507217Z	53	PC: 160a4 \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-17T23:07:01.862754561Z	37	PC: 160ad \| Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-17T23:07:01.878572905Z	53	PC: 160a4 \| Get interrupt vector (Interrupt = '35' AKA 'Get file size in records')
2018-12-17T23:07:01.880010505Z	37	PC: 160ad \| Set interrupt vector (Interrupt = '35' AKA 'Get file size in records')
2018-12-17T23:07:01.881527831Z	53	PC: 160a4 \| Get interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-17T23:07:01.883108333Z	37	PC: 160ad \| Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-17T23:07:01.884342048Z	53	PC: 160a4 \| Get interrupt vector (Interrupt = '52' AKA 'Get InDOS flag pointer')
2018-12-17T23:07:01.885691157Z	37	PC: 160ad \| Set interrupt vector (Interrupt = '52' AKA 'Get InDOS flag pointer')
2018-12-17T23:07:01.887774218Z	53	PC: 160a4 \| Get interrupt vector (Interrupt = '53' AKA 'Get interrupt vector')
2018-12-17T23:07:01.889010431Z	37	PC: 160ad \| Set interrupt vector (Interrupt = '53' AKA 'Get interrupt vector')
2018-12-17T23:07:01.890219274Z	53	PC: 160a4 \| Get interrupt vector (Interrupt = '54' AKA 'Get free disk space')
2018-12-17T23:07:01.892699021Z	37	PC: 160ad \| Set interrupt vector (Interrupt = '54' AKA 'Get free disk space')
2018-12-17T23:07:01.894029677Z	53	PC: 160a4 \| Get interrupt vector (Interrupt = '55' AKA 'Get or set switch character')
2018-12-17T23:07:01.89535812Z	37	PC: 160ad \| Set interrupt vector (Interrupt = '55' AKA 'Get or set switch character')
2018-12-17T23:07:01.910548633Z	53	PC: 160a4 \| Get interrupt vector (Interrupt = '56' AKA 'Get or set country info')
2018-12-17T23:07:01.912811337Z	37	PC: 160ad \| Set interrupt vector (Interrupt = '56' AKA 'Get or set country info')
2018-12-17T23:07:01.914915542Z	53	PC: 160a4 \| Get interrupt vector (Interrupt = '57' AKA 'Create subdirectory')
2018-12-17T23:07:01.917272576Z	37	PC: 160ad \| Set interrupt vector (Interrupt = '57' AKA 'Create subdirectory')
2018-12-17T23:07:01.918653144Z	53	PC: 160a4 \| Get interrupt vector (Interrupt = '58' AKA 'Remove subdirectory')
2018-12-17T23:07:01.919984698Z	37	PC: 160ad \| Set interrupt vector (Interrupt = '58' AKA 'Remove subdirectory')
2018-12-17T23:07:01.921359423Z	53	PC: 160a4 \| Get interrupt vector (Interrupt = '59' AKA 'Change current directory')
2018-12-17T23:07:01.923136664Z	37	PC: 160ad \| Set interrupt vector (Interrupt = '59' AKA 'Change current directory')
2018-12-17T23:07:01.924373708Z	53	PC: 160a4 \| Get interrupt vector (Interrupt = '60' AKA 'Create or truncate file')
2018-12-17T23:07:01.925624451Z	37	PC: 160ad \| Set interrupt vector (Interrupt = '60' AKA 'Create or truncate file')
2018-12-17T23:07:01.928697302Z	53	PC: 160a4 \| Get interrupt vector (Interrupt = '61' AKA 'Open file')
2018-12-17T23:07:01.930673506Z	37	PC: 160ad \| Set interrupt vector (Interrupt = '61' AKA 'Open file')
2018-12-17T23:07:01.93243099Z	53	PC: 160a4 \| Get interrupt vector (Interrupt = '62' AKA 'Close file')
2018-12-17T23:07:01.934788546Z	37	PC: 160ad \| Set interrupt vector (Interrupt = '62' AKA 'Close file')
2018-12-17T23:07:01.938001832Z	53	PC: 160a4 \| Get interrupt vector (Interrupt = '63' AKA 'Read file or device')
2018-12-17T23:07:01.93990273Z	37	PC: 160ad \| Set interrupt vector (Interrupt = '63' AKA 'Read file or device')
2018-12-17T23:07:01.9558074Z	53	PC: 160a4 \| Get interrupt vector (Interrupt = '117' AKA 'UNKNOWN!')
2018-12-17T23:07:01.957643826Z	37	PC: 160ad \| Set interrupt vector (Interrupt = '117' AKA 'UNKNOWN!')
2018-12-17T23:07:01.959929973Z	41	PC: 15ff1 \| Parse filename
2018-12-17T23:07:01.96273507Z	41	PC: 15fff \| Parse filename
2018-12-17T23:07:01.964749067Z	75	PC: 1600a \| Execute program
2018-12-17T23:07:01.988819568Z	80	PC: 1c7c9 \| Set current PSP
2018-12-17T23:07:01.990130942Z	48	PC: 1c7ce \| Get DOS version
2018-12-17T23:07:01.992624448Z	99	PC: 22fb0 \| Get DBCS lead byte table pointer
2018-12-17T23:07:01.996405884Z	101	PC: 1c854 \| Get extended country info
2018-12-17T23:07:02.000280115Z	99	PC: 1c85a \| Get DBCS lead byte table pointer
2018-12-17T23:07:02.002455963Z	74	PC: 1c8bc \| Reallocate memory
2018-12-17T23:07:02.004210264Z	25	PC: 1c8f3 \| Get default drive
2018-12-17T23:07:02.005693207Z	37	PC: 1c3b3 \| Set interrupt vector (Interrupt = '34' AKA 'Random write')
2018-12-17T23:07:02.0080145Z	37	PC: 1c3ba \| Set interrupt vector (Interrupt = '35' AKA 'Get file size in records')
2018-12-17T23:07:02.009700356Z	37	PC: 1c3c1 \| Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-17T23:07:02.015145828Z	74	PC: 1b55c \| Reallocate memory
2018-12-17T23:07:02.017838072Z	72	PC: 1b59d \| Allocate memory
2018-12-17T23:07:02.020085311Z	72	PC: 1b5d5 \| Allocate memory
2018-12-17T23:07:02.022328293Z	72	PC: 1b5dd \| Allocate memory