Sample viewer

vx.netlux.org/Virus.DOS.Necros.1164

.

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-17T22:55:45.198210206Z	75	PC: 12a5b \| Execute program
2018-12-17T22:55:45.200085162Z	37	PC: 12a6b \| Set interrupt vector (Interrupt = '3' AKA 'Auxiliary input')
2018-12-17T22:55:45.201696142Z	53	PC: 12a70 \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-17T22:55:45.203076368Z	37	PC: 12a80 \| Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-17T22:55:45.211067456Z	53	PC: 12a85 \| Get interrupt vector (Interrupt = '28' AKA 'Get allocation info for specified drive')
2018-12-17T22:55:45.213064161Z	42	PC: 12a91 \| Get date 0x12a91: mov ax, 0x251c 0x12a94: cmp dx, 0xb15 0x12a98: jne 0x12aa0 0x12a9a: mov dx, 0x48c 0x12a9d: jmp 0x12aa3 0x12a9f: nop 0x12aa0: mov dx, 0x4fa 0x12aa3: int 0x21 0x12aa5: mov word ptr [0x484], 0x1e 0x12aab: mov word ptr [0x486], 0x7d0 0x12ab1: call 0x12aca 0x12ab4: mov ah, 0x49 0x12ab6: mov es, word ptr [0x2c] 0x12aba: int 0x21 0x12abc: mov ah, 0x31 0x12abe: mov dx, 0xa3 0x12ac1: int 0x21 0x12ac3: call 0x12aca 0x12ac6: mov ah, 0x4c 0x12ac8: int 0x21
2018-12-17T22:55:45.214925602Z	37	PC: 12aa5 \| Set interrupt vector (Interrupt = '28' AKA 'Get allocation info for specified drive')
2018-12-17T22:55:45.216112874Z	74	PC: 12ad5 \| Reallocate memory
2018-12-17T22:55:45.218240285Z	61	PC: 12c0e \| Open file (Filename = 'C:\T\A8.COM')
2018-12-17T22:55:45.22314507Z	75	PC: 12af1 \| Execute program
2018-12-17T22:55:45.22952126Z	77	PC: 12af5 \| Get program return code
2018-12-17T22:55:45.240601648Z	73	PC: 12abc \| Release memory
2018-12-17T22:55:45.242687621Z	49	PC: 12ac3 \| Terminate and stay resident (Return code = '125' \| Memory size = '163')

{"DateBased":true,"Day":1,"Month":1,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":11993,"SideJobID":0}

.

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T12:31:47.113761108Z	75	PC: 12a5b \| Execute program
2018-12-25T12:31:47.116598156Z	37	PC: 12a6b \| Set interrupt vector (Interrupt = '3' AKA 'Auxiliary input')
2018-12-25T12:31:47.117901535Z	53	PC: 12a70 \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T12:31:47.11933341Z	37	PC: 12a80 \| Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T12:31:47.120891581Z	53	PC: 12a85 \| Get interrupt vector (Interrupt = '28' AKA 'Get allocation info for specified drive')
2018-12-25T12:31:47.122536003Z	42	PC: 12a91 \| Get date 0x12a91: mov ax, 0x251c 0x12a94: cmp dx, 0xb15 0x12a98: jne 0x12aa0 0x12a9a: mov dx, 0x48c 0x12a9d: jmp 0x12aa3 0x12a9f: nop 0x12aa0: mov dx, 0x4fa 0x12aa3: int 0x21 0x12aa5: mov word ptr [0x484], 0x1e 0x12aab: mov word ptr [0x486], 0x7d0 0x12ab1: call 0x12aca 0x12ab4: mov ah, 0x49 0x12ab6: mov es, word ptr [0x2c] 0x12aba: int 0x21 0x12abc: mov ah, 0x31 0x12abe: mov dx, 0xa3 0x12ac1: int 0x21 0x12ac3: call 0x12aca 0x12ac6: mov ah, 0x4c 0x12ac8: int 0x21
2018-12-25T12:31:47.124915371Z	37	PC: 12aa5 \| Set interrupt vector (Interrupt = '28' AKA 'Get allocation info for specified drive')
2018-12-25T12:31:47.1264217Z	74	PC: 12ad5 \| Reallocate memory
2018-12-25T12:31:47.128576721Z	61	PC: 12c0e \| Open file (Filename = 'C:\T\A8.COM')
2018-12-25T12:31:47.134399426Z	75	PC: 12af1 \| Execute program
2018-12-25T12:31:47.140366409Z	77	PC: 12af5 \| Get program return code
2018-12-25T12:31:47.149746732Z	73	PC: 12abc \| Release memory
2018-12-25T12:31:47.151097016Z	49	PC: 12ac3 \| Terminate and stay resident (Return code = '125' \| Memory size = '163')

{"DateBased":true,"Day":21,"Month":11,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":11993,"SideJobID":0}

.

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T12:31:47.443052309Z	75	PC: 12a5b \| Execute program
2018-12-25T12:31:47.444878204Z	37	PC: 12a6b \| Set interrupt vector (Interrupt = '3' AKA 'Auxiliary input')
2018-12-25T12:31:47.446790885Z	53	PC: 12a70 \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T12:31:47.447788005Z	37	PC: 12a80 \| Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T12:31:47.448837934Z	53	PC: 12a85 \| Get interrupt vector (Interrupt = '28' AKA 'Get allocation info for specified drive')
2018-12-25T12:31:47.450598756Z	42	PC: 12a91 \| Get date 0x12a91: mov ax, 0x251c 0x12a94: cmp dx, 0xb15 0x12a98: jne 0x12aa0 0x12a9a: mov dx, 0x48c 0x12a9d: jmp 0x12aa3 0x12a9f: nop 0x12aa0: mov dx, 0x4fa 0x12aa3: int 0x21 0x12aa5: mov word ptr [0x484], 0x1e 0x12aab: mov word ptr [0x486], 0x7d0 0x12ab1: call 0x12aca 0x12ab4: mov ah, 0x49 0x12ab6: mov es, word ptr [0x2c] 0x12aba: int 0x21 0x12abc: mov ah, 0x31 0x12abe: mov dx, 0xa3 0x12ac1: int 0x21 0x12ac3: call 0x12aca 0x12ac6: mov ah, 0x4c 0x12ac8: int 0x21
2018-12-25T12:31:47.4535674Z	37	PC: 12aa5 \| Set interrupt vector (Interrupt = '28' AKA 'Get allocation info for specified drive')
2018-12-25T12:31:47.455278778Z	74	PC: 12ad5 \| Reallocate memory
2018-12-25T12:31:47.457962801Z	61	PC: 12c0e \| Open file (Filename = 'C:\T\A8.COM')
2018-12-25T12:31:47.464716848Z	75	PC: 12af1 \| Execute program
2018-12-25T12:31:47.471211234Z	77	PC: 12af5 \| Get program return code
2018-12-25T12:31:47.472960174Z	73	PC: 12abc \| Release memory
2018-12-25T12:31:47.47438947Z	49	PC: 12ac3 \| Terminate and stay resident (Return code = '125' \| Memory size = '163')