Sample viewer

vx.netlux.org/Trojan.DOS.QHA.g

.

GIF

Syscalls:

Time Syscall Op Syscall Name
2018-12-17T23:10:10.841216184Z 48 PC: 17cbc | Get DOS version
2018-12-17T23:10:10.844219822Z 74 PC: 17d0c | Reallocate memory
2018-12-17T23:10:10.846631927Z 48 PC: 17d70 | Get DOS version
2018-12-17T23:10:10.848327909Z 53 PC: 17d78 | Get interrupt vector (Interrupt = '0' AKA 'Program terminate')
2018-12-17T23:10:10.850910323Z 37 PC: 17d8a | Set interrupt vector (Interrupt = '0' AKA 'Program terminate')
2018-12-17T23:10:10.853320531Z 53 PC: 1a462 | Get interrupt vector (Interrupt = '2' AKA 'Character output')
2018-12-17T23:10:10.85502958Z 37 PC: 1a472 | Set interrupt vector (Interrupt = '2' AKA 'Character output')
2018-12-17T23:10:10.856693973Z 53 PC: 1a477 | Get interrupt vector (Interrupt = '35' AKA 'Get file size in records')
2018-12-17T23:10:10.858455763Z 37 PC: 1a487 | Set interrupt vector (Interrupt = '35' AKA 'Get file size in records')
2018-12-17T23:10:10.859759087Z 53 PC: 181b6 | Get interrupt vector (Interrupt = '52' AKA 'Get InDOS flag pointer')
2018-12-17T23:10:10.861080518Z 53 PC: 181b6 | Get interrupt vector (Interrupt = '53' AKA 'Get interrupt vector')
2018-12-17T23:10:10.863288946Z 53 PC: 181b6 | Get interrupt vector (Interrupt = '54' AKA 'Get free disk space')
2018-12-17T23:10:10.869211275Z 53 PC: 181b6 | Get interrupt vector (Interrupt = '55' AKA 'Get or set switch character')
2018-12-17T23:10:10.87063857Z 53 PC: 181b6 | Get interrupt vector (Interrupt = '56' AKA 'Get or set country info')
2018-12-17T23:10:10.872993987Z 53 PC: 181b6 | Get interrupt vector (Interrupt = '57' AKA 'Create subdirectory')
2018-12-17T23:10:10.874693306Z 53 PC: 181b6 | Get interrupt vector (Interrupt = '58' AKA 'Remove subdirectory')
2018-12-17T23:10:10.876335748Z 53 PC: 181b6 | Get interrupt vector (Interrupt = '59' AKA 'Change current directory')
2018-12-17T23:10:10.884055564Z 53 PC: 181b6 | Get interrupt vector (Interrupt = '60' AKA 'Create or truncate file')
2018-12-17T23:10:10.885665995Z 53 PC: 181b6 | Get interrupt vector (Interrupt = '61' AKA 'Open file')
2018-12-17T23:10:10.887339338Z 53 PC: 181b6 | Get interrupt vector (Interrupt = '62' AKA 'Close file')
2018-12-17T23:10:10.889516813Z 37 PC: 181e5 | Set interrupt vector (Interrupt = '52' AKA 'Get InDOS flag pointer')
2018-12-17T23:10:10.891077186Z 37 PC: 181e5 | Set interrupt vector (Interrupt = '53' AKA 'Get interrupt vector')
2018-12-17T23:10:10.892669957Z 37 PC: 181e5 | Set interrupt vector (Interrupt = '54' AKA 'Get free disk space')
2018-12-17T23:10:10.895354299Z 37 PC: 181e5 | Set interrupt vector (Interrupt = '55' AKA 'Get or set switch character')
2018-12-17T23:10:10.896678893Z 37 PC: 181e5 | Set interrupt vector (Interrupt = '56' AKA 'Get or set country info')
2018-12-17T23:10:10.898413436Z 37 PC: 181e5 | Set interrupt vector (Interrupt = '57' AKA 'Create subdirectory')
2018-12-17T23:10:10.90045182Z 37 PC: 181e5 | Set interrupt vector (Interrupt = '58' AKA 'Remove subdirectory')
2018-12-17T23:10:10.911571621Z 37 PC: 181e5 | Set interrupt vector (Interrupt = '59' AKA 'Change current directory')
2018-12-17T23:10:10.913293454Z 37 PC: 181ec | Set interrupt vector (Interrupt = '60' AKA 'Create or truncate file')
2018-12-17T23:10:10.914990086Z 37 PC: 181f1 | Set interrupt vector (Interrupt = '61' AKA 'Open file')
2018-12-17T23:10:10.918475223Z 68 PC: 17e1b | I/O control for devices (Set for = '�;�u��� 5�!�����ظ�%�!�5�!�����ظ�%�!&���%�!&���%�!&��� %�!��Z[X�VW��# ��uW�� :�rN:�rJ:�tF��>�����Î��Ŋ���Ê�ر��ʇ��� ��r�������')
2018-12-17T23:10:10.920989356Z 68 PC: 17e1b | I/O control for devices
2018-12-17T23:10:10.923780488Z 68 PC: 17e1b | I/O control for devices (Set for = 'to system')
2018-12-17T23:10:10.927356152Z 68 PC: 17e1b | I/O control for devices (Set for = ' of ')
2018-12-17T23:10:10.929208257Z 68 PC: 17e1b | I/O control for devices (Set for = ' of ')
2018-12-17T23:10:10.932041499Z 53 PC: 15806 | Get interrupt vector (Interrupt = '0' AKA 'Program terminate')
2018-12-17T23:10:10.938377249Z 53 PC: 15813 | Get interrupt vector (Interrupt = '4' AKA 'Auxiliary output')
2018-12-17T23:10:10.940021191Z 53 PC: 15820 | Get interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-17T23:10:10.94159001Z 37 PC: 15835 | Set interrupt vector (Interrupt = '0' AKA 'Program terminate')
2018-12-17T23:10:10.944000177Z 37 PC: 1583d | Set interrupt vector (Interrupt = '4' AKA 'Auxiliary output')
2018-12-17T23:10:10.945306556Z 37 PC: 15845 | Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-17T23:10:10.94677999Z 53 PC: 162c4 | Get interrupt vector (Interrupt = '239' AKA 'UNKNOWN!')
2018-12-17T23:10:10.948515749Z 53 PC: 162d1 | Get interrupt vector (Interrupt = '240' AKA 'UNKNOWN!')
2018-12-17T23:10:10.949882951Z 53 PC: 162e0 | Get interrupt vector (Interrupt = '9' AKA 'Display string')
2018-12-17T23:10:10.951212104Z 37 PC: 162ed | Set interrupt vector (Interrupt = '239' AKA 'UNKNOWN!')
2018-12-17T23:10:10.952775823Z 53 PC: 162f4 | Get interrupt vector (Interrupt = '8' AKA 'Console input without echo')
2018-12-17T23:10:10.954677733Z 37 PC: 16301 | Set interrupt vector (Interrupt = '240' AKA 'UNKNOWN!')
2018-12-17T23:10:10.956251775Z 53 PC: 1630d | Get interrupt vector (Interrupt = '28' AKA 'Get allocation info for specified drive')
2018-12-17T23:10:10.961500718Z 48 PC: 163cf | Get DOS version
2018-12-17T23:10:10.964132458Z 74 PC: 144d1 | Reallocate memory
2018-12-17T23:10:10.966341922Z 74 PC: 144d1 | Reallocate memory
2018-12-17T23:10:10.968233164Z 68 PC: 1577c | I/O control for devices (Set for = ' Stack = 28666')
2018-12-17T23:10:10.976396225Z 68 PC: 1577c | I/O control for devices (Set for = '')
2018-12-17T23:10:10.979916789Z 51 PC: 1579a | Get or set Ctrl-Break
2018-12-17T23:10:10.984311731Z 51 PC: 157a6 | Get or set Ctrl-Break
2018-12-17T23:10:10.993889109Z 61 PC: 13872 | Open file (Filename = 'C:\WINDOWS\SYSTEM\QHA.PRT')
2018-12-17T23:10:11.02074386Z 60 PC: 13737 | Create or truncate file
2018-12-17T23:10:11.375467237Z 62 PC: 136a5 | Close file
2018-12-17T23:10:11.378512218Z 61 PC: 13872 | Open file (Filename = 'C:\WINDOWS\SYSTEM\QHA.PRT')
2018-12-17T23:10:11.387304634Z 68 PC: 137cb | I/O control for devices (Set for = 'ol Flow Protect] = 354666 Stack = 28666')
2018-12-17T23:10:11.390622682Z 66 PC: 13447 | Move file pointer
2018-12-17T23:10:11.394266516Z 63 PC: 1366e | Read file or device (Read 50 bytes on handle 5)
2018-12-17T23:10:11.406525865Z 62 PC: 136a5 | Close file
2018-12-17T23:10:11.409034472Z 25 PC: 12d2f | Get default drive
2018-12-17T23:10:11.410474784Z 13 PC: 12d34 | Disk reset
2018-12-17T23:10:11.412642298Z 14 PC: 12d3b | Set default drive (Drive = 'A')
2018-12-17T23:10:11.415594464Z 61 PC: 13872 | Open file (Filename = 'C:\COMMAND.COM')
2018-12-17T23:10:11.426467668Z 68 PC: 137cb | I/O control for devices (Set for = 'ol Flow Protect] = 354666 Stack = 28666')
2018-12-17T23:10:11.429994389Z 66 PC: 13447 | Move file pointer
2018-12-17T23:10:11.431983858Z 63 PC: 1366e | Read file or device (Read 14 bytes on handle 5)
2018-12-17T23:10:11.439238996Z 62 PC: 136a5 | Close file
2018-12-17T23:10:11.44376526Z 44 PC: 17a19 | Get time 0x17a19: mov al, 0x3c
0x17a1b: mul ch
0x17a1d: xor ch, ch
0x17a1f: add ax, cx
0x17a21: mov bx, ax
0x17a23: push dx
0x17a24: call 0x2792e
0x17a27: pop dx
0x17a28: mov ax, 0x3c
0x17a2b: call 0x17a55
0x17a2e: mov al, dh
0x17a30: mov ah, 1
0x17a32: call 0x17a55
0x17a35: mov ax, 0x64
0x17a38: call 0x17a55
0x17a3b: mov al, dl
0x17a3d: mov ah, 1
0x17a3f: call 0x17a55
0x17a42: mov ax, 0x264
0x17a45: call 0x17a55
2018-12-17T23:10:11.448833565Z 44 PC: 17a19 | Get time 0x17a19: mov al, 0x3c
0x17a1b: mul ch
0x17a1d: xor ch, ch
0x17a1f: add ax, cx
0x17a21: mov bx, ax
0x17a23: push dx
0x17a24: call 0x2792e
0x17a27: pop dx
0x17a28: mov ax, 0x3c
0x17a2b: call 0x17a55
0x17a2e: mov al, dh
0x17a30: mov ah, 1
0x17a32: call 0x17a55
0x17a35: mov ax, 0x64
0x17a38: call 0x17a55
0x17a3b: mov al, dl
0x17a3d: mov ah, 1
0x17a3f: call 0x17a55
0x17a42: mov ax, 0x264
0x17a45: call 0x17a55
2018-12-17T23:10:11.453073261Z 44 PC: 17a19 | Get time 0x17a19: mov al, 0x3c
0x17a1b: mul ch
0x17a1d: xor ch, ch
0x17a1f: add ax, cx
0x17a21: mov bx, ax
0x17a23: push dx
0x17a24: call 0x2792e
0x17a27: pop dx
0x17a28: mov ax, 0x3c
0x17a2b: call 0x17a55
0x17a2e: mov al, dh
0x17a30: mov ah, 1
0x17a32: call 0x17a55
0x17a35: mov ax, 0x64
0x17a38: call 0x17a55
0x17a3b: mov al, dl
0x17a3d: mov ah, 1
0x17a3f: call 0x17a55
0x17a42: mov ax, 0x264
0x17a45: call 0x17a55
2018-12-17T23:10:11.457836316Z 44 PC: 17a19 | Get time 0x17a19: mov al, 0x3c
0x17a1b: mul ch
0x17a1d: xor ch, ch
0x17a1f: add ax, cx
0x17a21: mov bx, ax
0x17a23: push dx
0x17a24: call 0x2792e
0x17a27: pop dx
0x17a28: mov ax, 0x3c
0x17a2b: call 0x17a55
0x17a2e: mov al, dh
0x17a30: mov ah, 1
0x17a32: call 0x17a55
0x17a35: mov ax, 0x64
0x17a38: call 0x17a55
0x17a3b: mov al, dl
0x17a3d: mov ah, 1
0x17a3f: call 0x17a55
0x17a42: mov ax, 0x264
0x17a45: call 0x17a55
2018-12-17T23:10:11.462096589Z 44 PC: 17a19 | Get time 0x17a19: mov al, 0x3c
0x17a1b: mul ch
0x17a1d: xor ch, ch
0x17a1f: add ax, cx
0x17a21: mov bx, ax
0x17a23: push dx
0x17a24: call 0x2792e
0x17a27: pop dx
0x17a28: mov ax, 0x3c
0x17a2b: call 0x17a55
0x17a2e: mov al, dh
0x17a30: mov ah, 1
0x17a32: call 0x17a55
0x17a35: mov ax, 0x64
0x17a38: call 0x17a55
0x17a3b: mov al, dl
0x17a3d: mov ah, 1
0x17a3f: call 0x17a55
0x17a42: mov ax, 0x264
0x17a45: call 0x17a55
2018-12-17T23:10:11.467083899Z 44 PC: 17a19 | Get time 0x17a19: mov al, 0x3c
0x17a1b: mul ch
0x17a1d: xor ch, ch
0x17a1f: add ax, cx
0x17a21: mov bx, ax
0x17a23: push dx
0x17a24: call 0x2792e
0x17a27: pop dx
0x17a28: mov ax, 0x3c
0x17a2b: call 0x17a55
0x17a2e: mov al, dh
0x17a30: mov ah, 1
0x17a32: call 0x17a55
0x17a35: mov ax, 0x64
0x17a38: call 0x17a55
0x17a3b: mov al, dl
0x17a3d: mov ah, 1
0x17a3f: call 0x17a55
0x17a42: mov ax, 0x264
0x17a45: call 0x17a55
2018-12-17T23:10:11.471950095Z 44 PC: 17a19 | Get time 0x17a19: mov al, 0x3c
0x17a1b: mul ch
0x17a1d: xor ch, ch
0x17a1f: add ax, cx
0x17a21: mov bx, ax
0x17a23: push dx
0x17a24: call 0x2792e
0x17a27: pop dx
0x17a28: mov ax, 0x3c
0x17a2b: call 0x17a55
0x17a2e: mov al, dh
0x17a30: mov ah, 1
0x17a32: call 0x17a55
0x17a35: mov ax, 0x64
0x17a38: call 0x17a55
0x17a3b: mov al, dl
0x17a3d: mov ah, 1
0x17a3f: call 0x17a55
0x17a42: mov ax, 0x264
0x17a45: call 0x17a55
2018-12-17T23:10:11.47623694Z 44 PC: 17a19 | Get time 0x17a19: mov al, 0x3c
0x17a1b: mul ch
0x17a1d: xor ch, ch
0x17a1f: add ax, cx
0x17a21: mov bx, ax
0x17a23: push dx
0x17a24: call 0x2792e
0x17a27: pop dx
0x17a28: mov ax, 0x3c
0x17a2b: call 0x17a55
0x17a2e: mov al, dh
0x17a30: mov ah, 1
0x17a32: call 0x17a55
0x17a35: mov ax, 0x64
0x17a38: call 0x17a55
0x17a3b: mov al, dl
0x17a3d: mov ah, 1
0x17a3f: call 0x17a55
0x17a42: mov ax, 0x264
0x17a45: call 0x17a55
2018-12-17T23:10:11.481867291Z 74 PC: 144d1 | Reallocate memory
2018-12-17T23:10:11.484951291Z 51 PC: 157b1 | Get or set Ctrl-Break
2018-12-17T23:10:11.486413542Z 37 PC: 15a33 | Set interrupt vector (Interrupt = '0' AKA 'Program terminate')
2018-12-17T23:10:11.488152048Z 37 PC: 15a3d | Set interrupt vector (Interrupt = '4' AKA 'Auxiliary output')
2018-12-17T23:10:11.490462457Z 37 PC: 15a47 | Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-17T23:10:11.492129421Z 53 PC: 13efe | Get interrupt vector (Interrupt = '8' AKA 'Console input without echo')
2018-12-17T23:10:11.493868268Z 53 PC: 13f0b | Get interrupt vector (Interrupt = '28' AKA 'Get allocation info for specified drive')
2018-12-17T23:10:11.496273691Z 53 PC: 13f18 | Get interrupt vector (Interrupt = '9' AKA 'Display string')
2018-12-17T23:10:11.498049649Z 37 PC: 13f33 | Set interrupt vector (Interrupt = '28' AKA 'Get allocation info for specified drive')
2018-12-17T23:10:11.499737988Z 53 PC: 13f3b | Get interrupt vector (Interrupt = '239' AKA 'UNKNOWN!')
2018-12-17T23:10:11.50235137Z 37 PC: 13f48 | Set interrupt vector (Interrupt = '9' AKA 'Display string')
2018-12-17T23:10:11.504445231Z 53 PC: 13f4f | Get interrupt vector (Interrupt = '240' AKA 'UNKNOWN!')
2018-12-17T23:10:11.506206214Z 37 PC: 13f5c | Set interrupt vector (Interrupt = '8' AKA 'Console input without echo')
2018-12-17T23:10:11.508833881Z 37 PC: 13f66 | Set interrupt vector (Interrupt = '239' AKA 'UNKNOWN!')
2018-12-17T23:10:11.510800235Z 37 PC: 13f71 | Set interrupt vector (Interrupt = '240' AKA 'UNKNOWN!')
2018-12-17T23:10:11.512622613Z 37 PC: 18201 | Set interrupt vector (Interrupt = '52' AKA 'Get InDOS flag pointer')
2018-12-17T23:10:11.515008091Z 37 PC: 18201 | Set interrupt vector (Interrupt = '53' AKA 'Get interrupt vector')
2018-12-17T23:10:11.516866624Z 37 PC: 18201 | Set interrupt vector (Interrupt = '54' AKA 'Get free disk space')
2018-12-17T23:10:11.518440214Z 37 PC: 18201 | Set interrupt vector (Interrupt = '55' AKA 'Get or set switch character')
2018-12-17T23:10:11.520771574Z 37 PC: 18201 | Set interrupt vector (Interrupt = '56' AKA 'Get or set country info')
2018-12-17T23:10:11.522663388Z 37 PC: 18201 | Set interrupt vector (Interrupt = '57' AKA 'Create subdirectory')
2018-12-17T23:10:11.524228226Z 37 PC: 18201 | Set interrupt vector (Interrupt = '58' AKA 'Remove subdirectory')
2018-12-17T23:10:11.52601241Z 37 PC: 18201 | Set interrupt vector (Interrupt = '59' AKA 'Change current directory')
2018-12-17T23:10:11.528854572Z 37 PC: 18201 | Set interrupt vector (Interrupt = '60' AKA 'Create or truncate file')
2018-12-17T23:10:11.530447075Z 37 PC: 18201 | Set interrupt vector (Interrupt = '61' AKA 'Open file')
2018-12-17T23:10:11.532021251Z 37 PC: 18201 | Set interrupt vector (Interrupt = '62' AKA 'Close file')
2018-12-17T23:10:11.534678096Z 37 PC: 1a496 | Set interrupt vector (Interrupt = '2' AKA 'Character output')
2018-12-17T23:10:11.536303496Z 37 PC: 17ecc | Set interrupt vector (Interrupt = '0' AKA 'Program terminate')
2018-12-17T23:10:11.54123152Z 41 PC: 17aa5 | Parse filename
2018-12-17T23:10:11.544281918Z 41 PC: 17aa7 | Parse filename
2018-12-17T23:10:11.5463707Z 41 PC: 17aac | Parse filename
2018-12-17T23:10:11.548221208Z 75 PC: 17ac2 | Execute program
2018-12-17T23:10:11.574301003Z 80 PC: 1d3c9 | Set current PSP
2018-12-17T23:10:11.575568333Z 48 PC: 1d3ce | Get DOS version
2018-12-17T23:10:11.577565234Z 99 PC: 23bb0 | Get DBCS lead byte table pointer
2018-12-17T23:10:11.581611362Z 101 PC: 1d454 | Get extended country info
2018-12-17T23:10:11.583655374Z 99 PC: 1d45a | Get DBCS lead byte table pointer
2018-12-17T23:10:11.585369292Z 74 PC: 1d4bc | Reallocate memory
2018-12-17T23:10:11.588031956Z 25 PC: 1d4f3 | Get default drive
2018-12-17T23:10:11.589915626Z 37 PC: 1cfb3 | Set interrupt vector (Interrupt = '34' AKA 'Random write')
2018-12-17T23:10:11.591490214Z 37 PC: 1cfba | Set interrupt vector (Interrupt = '35' AKA 'Get file size in records')
2018-12-17T23:10:11.593813142Z 37 PC: 1cfc1 | Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-17T23:10:11.599347033Z 74 PC: 1c15c | Reallocate memory
2018-12-17T23:10:11.601280914Z 72 PC: 1c19d | Allocate memory
2018-12-17T23:10:11.603604115Z 72 PC: 1c1d5 | Allocate memory
2018-12-17T23:10:11.607496881Z 72 PC: 1c1dd | Allocate memory