Sample viewer

vx.netlux.org/Trojan.DOS.Heidos

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-17T22:48:44.423824565Z	48	PC: 18480 \| Get DOS version
2018-12-17T22:48:44.426172796Z	74	PC: 184d0 \| Reallocate memory
2018-12-17T22:48:44.428507303Z	48	PC: 17e52 \| Get DOS version
2018-12-17T22:48:44.430015011Z	53	PC: 17e5a \| Get interrupt vector (Interrupt = '0' AKA 'Program terminate')
2018-12-17T22:48:44.432218444Z	37	PC: 17e6c \| Set interrupt vector (Interrupt = '0' AKA 'Program terminate')
2018-12-17T22:48:44.434238128Z	53	PC: 1ac12 \| Get interrupt vector (Interrupt = '2' AKA 'Character output')
2018-12-17T22:48:44.43612725Z	37	PC: 1ac22 \| Set interrupt vector (Interrupt = '2' AKA 'Character output')
2018-12-17T22:48:44.438525259Z	53	PC: 1ac27 \| Get interrupt vector (Interrupt = '35' AKA 'Get file size in records')
2018-12-17T22:48:44.443797312Z	37	PC: 1ac37 \| Set interrupt vector (Interrupt = '35' AKA 'Get file size in records')
2018-12-17T22:48:44.445159232Z	53	PC: 18966 \| Get interrupt vector (Interrupt = '52' AKA 'Get InDOS flag pointer')
2018-12-17T22:48:44.446549143Z	53	PC: 18966 \| Get interrupt vector (Interrupt = '53' AKA 'Get interrupt vector')
2018-12-17T22:48:44.44859957Z	53	PC: 18966 \| Get interrupt vector (Interrupt = '54' AKA 'Get free disk space')
2018-12-17T22:48:44.449990206Z	53	PC: 18966 \| Get interrupt vector (Interrupt = '55' AKA 'Get or set switch character')
2018-12-17T22:48:44.451227489Z	53	PC: 18966 \| Get interrupt vector (Interrupt = '56' AKA 'Get or set country info')
2018-12-17T22:48:44.453710585Z	53	PC: 18966 \| Get interrupt vector (Interrupt = '57' AKA 'Create subdirectory')
2018-12-17T22:48:44.455889923Z	53	PC: 18966 \| Get interrupt vector (Interrupt = '58' AKA 'Remove subdirectory')
2018-12-17T22:48:44.457994473Z	53	PC: 18966 \| Get interrupt vector (Interrupt = '59' AKA 'Change current directory')
2018-12-17T22:48:44.46009866Z	53	PC: 18966 \| Get interrupt vector (Interrupt = '60' AKA 'Create or truncate file')
2018-12-17T22:48:44.462027986Z	53	PC: 18966 \| Get interrupt vector (Interrupt = '61' AKA 'Open file')
2018-12-17T22:48:44.46387337Z	53	PC: 18966 \| Get interrupt vector (Interrupt = '62' AKA 'Close file')
2018-12-17T22:48:44.465317433Z	37	PC: 18995 \| Set interrupt vector (Interrupt = '52' AKA 'Get InDOS flag pointer')
2018-12-17T22:48:44.466647258Z	37	PC: 18995 \| Set interrupt vector (Interrupt = '53' AKA 'Get interrupt vector')
2018-12-17T22:48:44.46951737Z	37	PC: 18995 \| Set interrupt vector (Interrupt = '54' AKA 'Get free disk space')
2018-12-17T22:48:44.470907675Z	37	PC: 18995 \| Set interrupt vector (Interrupt = '55' AKA 'Get or set switch character')
2018-12-17T22:48:44.472344656Z	37	PC: 18995 \| Set interrupt vector (Interrupt = '56' AKA 'Get or set country info')
2018-12-17T22:48:44.476037585Z	37	PC: 18995 \| Set interrupt vector (Interrupt = '57' AKA 'Create subdirectory')
2018-12-17T22:48:44.477357599Z	37	PC: 18995 \| Set interrupt vector (Interrupt = '58' AKA 'Remove subdirectory')
2018-12-17T22:48:44.478924165Z	37	PC: 18995 \| Set interrupt vector (Interrupt = '59' AKA 'Change current directory')
2018-12-17T22:48:44.481708972Z	37	PC: 1899c \| Set interrupt vector (Interrupt = '60' AKA 'Create or truncate file')
2018-12-17T22:48:44.483113238Z	37	PC: 189a1 \| Set interrupt vector (Interrupt = '61' AKA 'Open file')
2018-12-17T22:48:44.484707281Z	68	PC: 17efd \| I/O control for devices (Set for = '�RP�[U��V�N��v��_')
2018-12-17T22:48:44.487370881Z	68	PC: 17efd \| I/O control for devices
2018-12-17T22:48:44.488818284Z	68	PC: 17efd \| I/O control for devices (Set for = '')
2018-12-17T22:48:44.490439089Z	68	PC: 17efd \| I/O control for devices (Set for = '@��E��r��9R�u��W�s��3��݋Ӌ��݋Ӌ��X��݋ȃ��ى]�M�E')
2018-12-17T22:48:44.492399092Z	68	PC: 17efd \| I/O control for devices (Set for = '@��E��r��9R�u��W�s��3��݋Ӌ��݋Ӌ��X��݋ȃ��ى]�M�E')
2018-12-17T22:48:44.494862938Z	53	PC: 15d2a \| Get interrupt vector (Interrupt = '0' AKA 'Program terminate')
2018-12-17T22:48:44.496561993Z	53	PC: 15d37 \| Get interrupt vector (Interrupt = '4' AKA 'Auxiliary output')
2018-12-17T22:48:44.50667934Z	53	PC: 15d44 \| Get interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-17T22:48:44.508627955Z	37	PC: 15d59 \| Set interrupt vector (Interrupt = '0' AKA 'Program terminate')
2018-12-17T22:48:44.50995915Z	37	PC: 15d61 \| Set interrupt vector (Interrupt = '4' AKA 'Auxiliary output')
2018-12-17T22:48:44.511340609Z	37	PC: 15d69 \| Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-17T22:48:44.513663135Z	53	PC: 162a2 \| Get interrupt vector (Interrupt = '239' AKA 'UNKNOWN!')
2018-12-17T22:48:44.515451146Z	53	PC: 162af \| Get interrupt vector (Interrupt = '240' AKA 'UNKNOWN!')
2018-12-17T22:48:44.517253947Z	53	PC: 162be \| Get interrupt vector (Interrupt = '9' AKA 'Display string')
2018-12-17T22:48:44.519929081Z	37	PC: 162cb \| Set interrupt vector (Interrupt = '239' AKA 'UNKNOWN!')
2018-12-17T22:48:44.521621759Z	53	PC: 162d2 \| Get interrupt vector (Interrupt = '8' AKA 'Console input without echo')
2018-12-17T22:48:44.524265425Z	37	PC: 162df \| Set interrupt vector (Interrupt = '240' AKA 'UNKNOWN!')
2018-12-17T22:48:44.526527929Z	53	PC: 162eb \| Get interrupt vector (Interrupt = '28' AKA 'Get allocation info for specified drive')
2018-12-17T22:48:44.531221125Z	48	PC: 163ad \| Get DOS version
2018-12-17T22:48:44.532682237Z	74	PC: 17309 \| Reallocate memory
2018-12-17T22:48:44.535481369Z	74	PC: 17309 \| Reallocate memory
2018-12-17T22:48:44.537214706Z	68	PC: 15ca0 \| I/O control for devices (Set for = 'README.EXE C:\WINDOWS\WIN.EXE >NUL*')
2018-12-17T22:48:44.538769638Z	68	PC: 15ca0 \| I/O control for devices (Set for = '')
2018-12-17T22:48:44.540720332Z	51	PC: 15cbe \| Get or set Ctrl-Break
2018-12-17T22:48:44.542124772Z	51	PC: 15cca \| Get or set Ctrl-Break
2018-12-17T22:48:44.545741726Z	61	PC: 13108 \| Open file (Filename = 'C:\WINDOWS\WIN.EXE')
2018-12-17T22:48:44.561555242Z	61	PC: 13108 \| Open file (Filename = 'A:\README.EXE')
2018-12-17T22:48:44.571993929Z	61	PC: 13108 \| Open file (Filename = 'B:\README.EXE')