Sample viewer

vx.netlux.org/Trojan.DOS.Erase26.d2

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-17T22:34:00.560425571Z	48	PC: 12a4c \| Get DOS version
2018-12-17T22:34:00.562271881Z	53	PC: 12bef \| Get interrupt vector (Interrupt = '0' AKA 'Program terminate')
2018-12-17T22:34:00.563724957Z	53	PC: 12bfc \| Get interrupt vector (Interrupt = '4' AKA 'Auxiliary output')
2018-12-17T22:34:00.565218012Z	53	PC: 12c09 \| Get interrupt vector (Interrupt = '5' AKA 'Printer output')
2018-12-17T22:34:00.567230762Z	53	PC: 12c16 \| Get interrupt vector (Interrupt = '6' AKA 'Direct console I/O')
2018-12-17T22:34:00.568707386Z	37	PC: 12c2a \| Set interrupt vector (Interrupt = '0' AKA 'Program terminate')
2018-12-17T22:34:00.570501431Z	74	PC: 12af4 \| Reallocate memory
2018-12-17T22:34:00.573081165Z	68	PC: 12faa \| I/O control for devices (Set for = 'pyright 1991 Borland Intl.')
2018-12-17T22:34:00.583088584Z	68	PC: 12faa \| I/O control for devices (Set for = '')
2018-12-17T22:34:00.586855982Z	42	PC: 12e6b \| Get date 0x12e6b: mov word ptr [si], cx 0x12e6d: mov word ptr [si + 2], dx 0x12e70: pop si 0x12e71: pop bp 0x12e72: ret 0x12e73: push bp 0x12e74: mov bp, sp 0x12e76: push si 0x12e77: mov si, word ptr [bp + 4] 0x12e7a: mov ah, 0x2c 0x12e7c: int 0x21 0x12e7e: mov word ptr [si], cx 0x12e80: mov word ptr [si + 2], dx 0x12e83: pop si 0x12e84: pop bp 0x12e85: ret 0x12e86: push bp 0x12e87: mov bp, sp 0x12e89: mov ah, 0x35 0x12e8b: mov al, byte ptr [bp + 4]
2018-12-17T22:34:00.589955778Z	44	PC: 12e7e \| Get time 0x12e7e: mov word ptr [si], cx 0x12e80: mov word ptr [si + 2], dx 0x12e83: pop si 0x12e84: pop bp 0x12e85: ret 0x12e86: push bp 0x12e87: mov bp, sp 0x12e89: mov ah, 0x35 0x12e8b: mov al, byte ptr [bp + 4] 0x12e8e: int 0x21 0x12e90: xchg ax, bx 0x12e91: mov dx, es 0x12e93: pop bp 0x12e94: ret 0x12e95: push bp 0x12e96: mov bp, sp 0x12e98: mov ah, 0x25 0x12e9a: mov al, byte ptr [bp + 4] 0x12e9d: push ds 0x12e9e: lds dx, ptr [bp + 6]
2018-12-17T22:34:00.602458514Z	47	PC: 1366a \| Get disk transfer address
2018-12-17T22:34:00.60800501Z	26	PC: 13673 \| Set disk transfer address
2018-12-17T22:34:00.611074962Z	78	PC: 1367d \| Find first file
2018-12-17T22:34:00.616302781Z	26	PC: 13686 \| Set disk transfer address
2018-12-17T22:34:00.617915627Z	47	PC: 1369d \| Get disk transfer address
2018-12-17T22:34:00.619379385Z	26	PC: 136a6 \| Set disk transfer address
2018-12-17T22:34:00.620305505Z	79	PC: 136aa \| Find next file
2018-12-17T22:34:00.62317837Z	26	PC: 136b3 \| Set disk transfer address
2018-12-17T22:34:02.667173878Z	72	PC: 8f1b9 \| Allocate memory
2018-12-17T22:34:02.668599586Z	72	PC: 8f1bd \| Allocate memory
2018-12-17T22:34:02.671161179Z	99	PC: 90858 \| Get DBCS lead byte table pointer
2018-12-17T22:34:02.673710948Z	61	PC: 91f88 \| Open file (Filename = 'C:\WINDOWS\HIMEM.SYS')
2018-12-17T22:34:02.68624447Z	66	PC: 91f95 \| Move file pointer
2018-12-17T22:34:02.689293571Z	62	PC: 91fc1 \| Close file
2018-12-17T22:34:02.691606675Z	75	PC: 91fe0 \| Execute program
2018-12-17T22:34:02.709880028Z	98	PC: 916f1 \| Get current PSP
2018-12-17T22:34:02.712522811Z	9	PC: c605 \| Display string (String= '6ï¿½ï¿½rï¿½&;]u')
2018-12-17T22:34:02.723196774Z	48	PC: c609 \| Get DOS version
2018-12-17T22:34:02.72697293Z	9	PC: c382 \| Display string (String= ' Installed A20 handler number ')
2018-12-17T22:34:02.732510121Z	2	PC: c38c \| Character output (Char = '32')
2018-12-17T22:34:02.736172092Z	2	PC: c3a7 \| Character output (Char = '2e')
2018-12-17T22:34:02.740269642Z	9	PC: c6d9 \| Display string (String= 'ï¿½ï¿½ï¿½ï¿½ï¿½VHï¿½VDï¿½ï¿½ï¿½V@ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½î°ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½_ï¿½ï¿½ï¿½Kuï¿½ï¿½t1ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½Dï¿½ï¿½ï¿½ï¿½ï¿½t ï¿½ï¿½ ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½a1ï¿½ï¿½Zï¿½ï¿½ï¿½ï¿½ï¿½Wï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½5ï¿½ï¿½ï¿½\|ï¿½ï¿½ï¿½ï¿½ï¿½(ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½Ç‹ï¿½(ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½pï¿½^')
2018-12-17T22:34:02.746437474Z	9	PC: c6e0 \| Display string (String= 'ï¿½5ï¿½ï¿½ï¿½\|ï¿½ï¿½ï¿½ï¿½ï¿½(ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½Ç‹ï¿½(ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½pï¿½^')
2018-12-17T22:34:02.756878254Z	61	PC: 91f88 \| Open file (Filename = 'C:\WINDOWS\SMARTDRV.EXE')
2018-12-17T22:34:02.768574574Z	66	PC: 91f95 \| Move file pointer
2018-12-17T22:34:02.770209672Z	62	PC: 91fc1 \| Close file
2018-12-17T22:34:02.7729638Z	75	PC: 91fe0 \| Execute program
2018-12-17T22:34:02.800548754Z	98	PC: 916f1 \| Get current PSP
2018-12-17T22:34:02.805321334Z	82	PC: 13d46 \| Get DOS internal pointers (SYSVARS)
2018-12-17T22:34:02.808344978Z	53	PC: 13ac3 \| Get interrupt vector (Interrupt = '19' AKA 'Delete file')
2018-12-17T22:34:02.810077393Z	37	PC: 13ad6 \| Set interrupt vector (Interrupt = '19' AKA 'Delete file')
2018-12-17T22:34:02.811380852Z	53	PC: 13ae0 \| Get interrupt vector (Interrupt = '47' AKA 'Get disk transfer address')
2018-12-17T22:34:02.813408262Z	37	PC: 13af3 \| Set interrupt vector (Interrupt = '47' AKA 'Get disk transfer address')
2018-12-17T22:34:02.814648522Z	9	PC: 13a0d \| Display string (Could not find end pointer)
2018-12-17T22:34:02.82752479Z	62	PC: 8f8eb \| Close file
2018-12-17T22:34:02.830510745Z	62	PC: 8f8f2 \| Close file
2018-12-17T22:34:02.832816696Z	62	PC: 8f8f2 \| Close file
2018-12-17T22:34:02.834502987Z	62	PC: 8f8f2 \| Close file
2018-12-17T22:34:02.837533384Z	62	PC: 8f8f2 \| Close file
2018-12-17T22:34:02.839365636Z	62	PC: 8f8f2 \| Close file
2018-12-17T22:34:02.840982186Z	62	PC: 8f8f2 \| Close file
2018-12-17T22:34:02.843699309Z	62	PC: 8f8f2 \| Close file
2018-12-17T22:34:02.845317352Z	62	PC: 8f8f2 \| Close file
2018-12-17T22:34:02.846832011Z	62	PC: 8f8f2 \| Close file
2018-12-17T22:34:02.848328956Z	62	PC: 8f8f2 \| Close file
2018-12-17T22:34:02.850549633Z	62	PC: 8f8f2 \| Close file
2018-12-17T22:34:02.852591218Z	62	PC: 8f8f2 \| Close file
2018-12-17T22:34:02.854079941Z	62	PC: 8f8f2 \| Close file
2018-12-17T22:34:02.856284323Z	62	PC: 8f8f2 \| Close file
2018-12-17T22:34:02.857875598Z	62	PC: 8f8f2 \| Close file
2018-12-17T22:34:02.859395241Z	62	PC: 8f8f2 \| Close file
2018-12-17T22:34:02.861682655Z	62	PC: 8f8f2 \| Close file
2018-12-17T22:34:02.863227808Z	62	PC: 8f8f2 \| Close file
2018-12-17T22:34:02.864718015Z	62	PC: 8f8f2 \| Close file
2018-12-17T22:34:02.866762837Z	62	PC: 8f8f2 \| Close file
2018-12-17T22:34:02.86824114Z	62	PC: 8f8f2 \| Close file
2018-12-17T22:34:02.871264712Z	62	PC: 8f8f2 \| Close file
2018-12-17T22:34:02.873315735Z	62	PC: 8f8f2 \| Close file
2018-12-17T22:34:02.874840416Z	62	PC: 8f8f2 \| Close file
2018-12-17T22:34:02.876302251Z	62	PC: 8f8f2 \| Close file
2018-12-17T22:34:02.878110307Z	62	PC: 8f8f2 \| Close file
2018-12-17T22:34:02.895769984Z	62	PC: 8f8f2 \| Close file
2018-12-17T22:34:02.897550149Z	62	PC: 8f8f2 \| Close file
2018-12-17T22:34:02.899612733Z	62	PC: 8f8f2 \| Close file
2018-12-17T22:34:02.900839252Z	62	PC: 8f8f2 \| Close file
2018-12-17T22:34:02.902087652Z	61	PC: 8f8ff \| Open file (Filename = '')
2018-12-17T22:34:02.905711515Z	62	PC: 8f90e \| Close file
2018-12-17T22:34:02.908179584Z	69	PC: 8f915 \| Duplicate handle
2018-12-17T22:34:02.910153277Z	69	PC: 8f919 \| Duplicate handle
2018-12-17T22:34:02.911921186Z	61	PC: 9387b \| Open file (Filename = '')
2018-12-17T22:34:02.917177628Z	68	PC: 9386b \| I/O control for devices (Set for = '')
2018-12-17T22:34:02.918504288Z	61	PC: 9387b \| Open file (Filename = '')
2018-12-17T22:34:02.92356746Z	68	PC: 9386b \| I/O control for devices (Set for = '')
2018-12-17T22:34:02.926022312Z	74	PC: 8f9c4 \| Reallocate memory
2018-12-17T22:34:02.927680021Z	72	PC: 8f9e0 \| Allocate memory
2018-12-17T22:34:02.929681911Z	72	PC: 8f9e4 \| Allocate memory
2018-12-17T22:34:02.937598802Z	74	PC: 8f9fb \| Reallocate memory
2018-12-17T22:34:02.939181704Z	72	PC: 8fa02 \| Allocate memory
2018-12-17T22:34:02.941208995Z	72	PC: 8fa06 \| Allocate memory
2018-12-17T22:34:02.943428346Z	73	PC: 8fa11 \| Release memory
2018-12-17T22:34:02.945141296Z	73	PC: 8efea \| Release memory
2018-12-17T22:34:02.94664879Z	74	PC: 8f003 \| Reallocate memory
2018-12-17T22:34:02.949387629Z	72	PC: 8f054 \| Allocate memory
2018-12-17T22:34:02.951248543Z	72	PC: 8f058 \| Allocate memory
2018-12-17T22:34:02.952810159Z	73	PC: 8f060 \| Release memory
2018-12-17T22:34:02.954731017Z	61	PC: 8f080 \| Open file (Filename = 'r,ï¿½Sï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½[ï¿½
2018-12-17T22:34:02.964880133Z	63	PC: 8f095 \| Read file or device (Read 4 bytes on handle 5)
2018-12-17T22:34:02.971055074Z	66	PC: 8f0ad \| Move file pointer
2018-12-17T22:34:02.973966418Z	62	PC: 8f0d1 \| Close file
2018-12-17T22:34:02.976046697Z	75	PC: 8f0f2 \| Execute program
2018-12-17T22:34:03.000912795Z	80	PC: 12be9 \| Set current PSP
2018-12-17T22:34:03.002455482Z	48	PC: 12bee \| Get DOS version
2018-12-17T22:34:03.004201439Z	99	PC: 193d0 \| Get DBCS lead byte table pointer
2018-12-17T22:34:03.006783657Z	101	PC: 12c74 \| Get extended country info
2018-12-17T22:34:03.008737606Z	99	PC: 12c7a \| Get DBCS lead byte table pointer
2018-12-17T22:34:03.010589057Z	74	PC: 12cdc \| Reallocate memory
2018-12-17T22:34:03.012503871Z	72	PC: 1355d \| Allocate memory
2018-12-17T22:34:03.015689379Z	25	PC: 13596 \| Get default drive
2018-12-17T22:34:03.017114695Z	71	PC: 135ad \| Get current directory
2018-12-17T22:34:03.019779608Z	59	PC: 135ba \| Change current directory
2018-12-17T22:34:03.026324889Z	59	PC: 135c8 \| Change current directory
2018-12-17T22:34:03.032638175Z	59	PC: 135d3 \| Change current directory
2018-12-17T22:34:03.036536305Z	25	PC: 12d13 \| Get default drive
2018-12-17T22:34:03.038161223Z	37	PC: 127d3 \| Set interrupt vector (Interrupt = '34' AKA 'Random write')
2018-12-17T22:34:03.040001662Z	37	PC: 127da \| Set interrupt vector (Interrupt = '35' AKA 'Get file size in records')
2018-12-17T22:34:03.041338104Z	37	PC: 127e1 \| Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-17T22:34:03.043851447Z	80	PC: 1301d \| Set current PSP
2018-12-17T22:34:03.045525221Z	37	PC: 13041 \| Set interrupt vector (Interrupt = '46' AKA 'Set verify flag')
2018-12-17T22:34:03.047030795Z	53	PC: 13362 \| Get interrupt vector (Interrupt = '47' AKA 'Get disk transfer address')
2018-12-17T22:34:03.048461531Z	37	PC: 13383 \| Set interrupt vector (Interrupt = '47' AKA 'Get disk transfer address')
2018-12-17T22:34:03.05047703Z	51	PC: 13417 \| Get or set Ctrl-Break
2018-12-17T22:34:03.053028472Z	72	PC: 130ec \| Allocate memory
2018-12-17T22:34:03.055033295Z	61	PC: 131b2 \| Open file (Filename = '')
2018-12-17T22:34:03.062918562Z	62	PC: 131ba \| Close file
2018-12-17T22:34:03.065581848Z	51	PC: 1344c \| Get or set Ctrl-Break
2018-12-17T22:34:03.067192134Z	74	PC: 1197c \| Reallocate memory
2018-12-17T22:34:03.069548628Z	72	PC: 11991 \| Allocate memory
2018-12-17T22:34:03.071231673Z	73	PC: 119b2 \| Release memory
2018-12-17T22:34:03.072660914Z	72	PC: 119bd \| Allocate memory
2018-12-17T22:34:03.075088956Z	73	PC: 119df \| Release memory
2018-12-17T22:34:03.077268718Z	72	PC: 119f5 \| Allocate memory
2018-12-17T22:34:03.07924607Z	72	PC: 119fd \| Allocate memory