Sample viewer

vx.netlux.org/Virus.DOS.Mirror.1056

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-17T23:03:35.962764913Z	53	PC: 13472 \| Get interrupt vector (Interrupt = '100' AKA 'Set wait for external event flag')
2018-12-17T23:03:35.964277463Z	74	PC: 13497 \| Reallocate memory
2018-12-17T23:03:35.967199862Z	72	PC: 134a0 \| Allocate memory
2018-12-17T23:03:35.96948405Z	37	PC: 134c8 \| Set interrupt vector (Interrupt = '100' AKA 'Set wait for external event flag')
2018-12-17T23:03:35.971263051Z	53	PC: 134cf \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-17T23:03:35.980307819Z	37	PC: 134df \| Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-17T23:03:35.982257936Z	42	PC: 134e3 \| Get date 0x134e3: cmp cx, 0x7c9 0x134e7: jb 0x13509 0x134e9: cmp dh, 3 0x134ec: jb 0x13509 0x134ee: mov ax, 0x3508 0x134f1: int 0x21 0x134f3: mov word ptr [0x133], es 0x134f7: mov word ptr [0x131], bx 0x134fb: mov word ptr [0x135], 0 0x13501: mov ax, 0x2508 0x13504: mov dx, 0xdb 0x13507: int 0x21 0x13509: pop es 0x1350a: mov ax, es 0x1350c: add word ptr cs:[0xc3], ax 0x13511: add word ptr cs:[0xc3], 0x10 0x13517: pop bp 0x13518: pop di 0x13519: pop si 0x1351a: pop ds
2018-12-17T23:03:35.985282093Z	53	PC: 134f3 \| Get interrupt vector (Interrupt = '8' AKA 'Console input without echo')
2018-12-17T23:03:36.00213229Z	37	PC: 13509 \| Set interrupt vector (Interrupt = '8' AKA 'Console input without echo')
2018-12-17T23:03:36.003764494Z	48	PC: 12a87 \| Get DOS version
2018-12-17T23:03:36.0050777Z	9	PC: 12a96 \| Display string (String= 'The Norton Commander, Copyright (C) 1986, 88, 89, Peter Norton Computing, Inc. ')
2018-12-17T23:03:36.012773572Z	74	PC: 12adc \| Reallocate memory
2018-12-17T23:03:36.015039107Z	37	PC: 12af0 \| Set interrupt vector (Interrupt = '35' AKA 'Get file size in records')
2018-12-17T23:03:36.016620482Z	51	PC: 12d58 \| Get or set Ctrl-Break
2018-12-17T23:03:36.017641672Z	51	PC: 12d63 \| Get or set Ctrl-Break
2018-12-17T23:03:36.020169939Z	72	PC: 13109 \| Allocate memory
2018-12-17T23:03:36.022795088Z	41	PC: 13184 \| Parse filename
2018-12-17T23:03:36.024671742Z	41	PC: 1318d \| Parse filename
2018-12-17T23:03:36.027247863Z	61	PC: 9fa13 \| Open file (Filename = 'A:\NCMAIN.EXE')
2018-12-17T23:03:36.034807924Z	75	PC: 13157 \| Execute program

{"DateBased":true,"Day":1,"Month":3,"Year":1993,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":14599,"SideJobID":0}

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T12:41:03.493839787Z	53	PC: 13472 \| Get interrupt vector (Interrupt = '100' AKA 'Set wait for external event flag')
2018-12-25T12:41:03.495266721Z	74	PC: 13497 \| Reallocate memory
2018-12-25T12:41:03.496428127Z	72	PC: 134a0 \| Allocate memory
2018-12-25T12:41:03.49821155Z	37	PC: 134c8 \| Set interrupt vector (Interrupt = '100' AKA 'Set wait for external event flag')
2018-12-25T12:41:03.499566319Z	53	PC: 134cf \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T12:41:03.500851339Z	37	PC: 134df \| Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T12:41:03.501815301Z	42	PC: 134e3 \| Get date 0x134e3: cmp cx, 0x7c9 0x134e7: jb 0x13509 0x134e9: cmp dh, 3 0x134ec: jb 0x13509 0x134ee: mov ax, 0x3508 0x134f1: int 0x21 0x134f3: mov word ptr [0x133], es 0x134f7: mov word ptr [0x131], bx 0x134fb: mov word ptr [0x135], 0 0x13501: mov ax, 0x2508 0x13504: mov dx, 0xdb 0x13507: int 0x21 0x13509: pop es 0x1350a: mov ax, es 0x1350c: add word ptr cs:[0xc3], ax 0x13511: add word ptr cs:[0xc3], 0x10 0x13517: pop bp 0x13518: pop di 0x13519: pop si 0x1351a: pop ds
2018-12-25T12:41:03.504507111Z	53	PC: 134f3 \| Get interrupt vector (Interrupt = '8' AKA 'Console input without echo')
2018-12-25T12:41:03.505986017Z	37	PC: 13509 \| Set interrupt vector (Interrupt = '8' AKA 'Console input without echo')
2018-12-25T12:41:03.507174182Z	48	PC: 12a87 \| Get DOS version
2018-12-25T12:41:03.508189519Z	9	PC: 12a96 \| Display string (String= 'The Norton Commander, Copyright (C) 1986, 88, 89, Peter Norton Computing, Inc. ')
2018-12-25T12:41:03.512976717Z	74	PC: 12adc \| Reallocate memory
2018-12-25T12:41:03.514744375Z	37	PC: 12af0 \| Set interrupt vector (Interrupt = '35' AKA 'Get file size in records')
2018-12-25T12:41:03.516129355Z	51	PC: 12d58 \| Get or set Ctrl-Break
2018-12-25T12:41:03.517789785Z	51	PC: 12d63 \| Get or set Ctrl-Break
2018-12-25T12:41:03.518747038Z	72	PC: 13109 \| Allocate memory
2018-12-25T12:41:03.520209886Z	41	PC: 13184 \| Parse filename
2018-12-25T12:41:03.521870391Z	41	PC: 1318d \| Parse filename
2018-12-25T12:41:03.523785626Z	61	PC: 9fa13 \| Open file (Filename = 'A:\NCMAIN.EXE')
2018-12-25T12:41:03.528836702Z	75	PC: 13157 \| Execute program

{"DateBased":true,"Day":1,"Month":1,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":14599,"SideJobID":0}

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T12:41:03.559330654Z	53	PC: 13472 \| Get interrupt vector (Interrupt = '100' AKA 'Set wait for external event flag')
2018-12-25T12:41:03.561170714Z	74	PC: 13497 \| Reallocate memory
2018-12-25T12:41:03.562430196Z	72	PC: 134a0 \| Allocate memory
2018-12-25T12:41:03.564278835Z	37	PC: 134c8 \| Set interrupt vector (Interrupt = '100' AKA 'Set wait for external event flag')
2018-12-25T12:41:03.566054879Z	53	PC: 134cf \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T12:41:03.567723425Z	37	PC: 134df \| Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T12:41:03.568913053Z	42	PC: 134e3 \| Get date 0x134e3: cmp cx, 0x7c9 0x134e7: jb 0x13509 0x134e9: cmp dh, 3 0x134ec: jb 0x13509 0x134ee: mov ax, 0x3508 0x134f1: int 0x21 0x134f3: mov word ptr [0x133], es 0x134f7: mov word ptr [0x131], bx 0x134fb: mov word ptr [0x135], 0 0x13501: mov ax, 0x2508 0x13504: mov dx, 0xdb 0x13507: int 0x21 0x13509: pop es 0x1350a: mov ax, es 0x1350c: add word ptr cs:[0xc3], ax 0x13511: add word ptr cs:[0xc3], 0x10 0x13517: pop bp 0x13518: pop di 0x13519: pop si 0x1351a: pop ds
2018-12-25T12:41:03.571539455Z	48	PC: 12a87 \| Get DOS version
2018-12-25T12:41:03.579616663Z	9	PC: 12a96 \| Display string (String= 'The Norton Commander, Copyright (C) 1986, 88, 89, Peter Norton Computing, Inc. ')
2018-12-25T12:41:03.585876381Z	74	PC: 12adc \| Reallocate memory
2018-12-25T12:41:03.587880082Z	37	PC: 12af0 \| Set interrupt vector (Interrupt = '35' AKA 'Get file size in records')
2018-12-25T12:41:03.589736616Z	51	PC: 12d58 \| Get or set Ctrl-Break
2018-12-25T12:41:03.590924393Z	51	PC: 12d63 \| Get or set Ctrl-Break
2018-12-25T12:41:03.592123992Z	72	PC: 13109 \| Allocate memory
2018-12-25T12:41:03.603556193Z	41	PC: 13184 \| Parse filename
2018-12-25T12:41:03.606025973Z	41	PC: 1318d \| Parse filename
2018-12-25T12:41:03.608318062Z	61	PC: 9fa13 \| Open file (Filename = 'A:\NCMAIN.EXE')
2018-12-25T12:41:03.622598999Z	75	PC: 13157 \| Execute program

{"DateBased":true,"Day":1,"Month":1,"Year":1993,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":14599,"SideJobID":0}

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T12:41:04.864846791Z	53	PC: 13472 \| Get interrupt vector (Interrupt = '100' AKA 'Set wait for external event flag')
2018-12-25T12:41:04.866754492Z	74	PC: 13497 \| Reallocate memory
2018-12-25T12:41:04.868416136Z	72	PC: 134a0 \| Allocate memory
2018-12-25T12:41:04.870015165Z	37	PC: 134c8 \| Set interrupt vector (Interrupt = '100' AKA 'Set wait for external event flag')
2018-12-25T12:41:04.8758332Z	53	PC: 134cf \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T12:41:04.877241361Z	37	PC: 134df \| Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T12:41:04.87863337Z	42	PC: 134e3 \| Get date 0x134e3: cmp cx, 0x7c9 0x134e7: jb 0x13509 0x134e9: cmp dh, 3 0x134ec: jb 0x13509 0x134ee: mov ax, 0x3508 0x134f1: int 0x21 0x134f3: mov word ptr [0x133], es 0x134f7: mov word ptr [0x131], bx 0x134fb: mov word ptr [0x135], 0 0x13501: mov ax, 0x2508 0x13504: mov dx, 0xdb 0x13507: int 0x21 0x13509: pop es 0x1350a: mov ax, es 0x1350c: add word ptr cs:[0xc3], ax 0x13511: add word ptr cs:[0xc3], 0x10 0x13517: pop bp 0x13518: pop di 0x13519: pop si 0x1351a: pop ds
2018-12-25T12:41:04.881196344Z	48	PC: 12a87 \| Get DOS version
2018-12-25T12:41:04.88273344Z	9	PC: 12a96 \| Display string (String= 'The Norton Commander, Copyright (C) 1986, 88, 89, Peter Norton Computing, Inc. ')
2018-12-25T12:41:04.889027651Z	74	PC: 12adc \| Reallocate memory
2018-12-25T12:41:04.891464398Z	37	PC: 12af0 \| Set interrupt vector (Interrupt = '35' AKA 'Get file size in records')
2018-12-25T12:41:04.894358742Z	51	PC: 12d58 \| Get or set Ctrl-Break
2018-12-25T12:41:04.896140264Z	51	PC: 12d63 \| Get or set Ctrl-Break
2018-12-25T12:41:04.897722156Z	72	PC: 13109 \| Allocate memory
2018-12-25T12:41:04.901477293Z	41	PC: 13184 \| Parse filename
2018-12-25T12:41:04.90355855Z	41	PC: 1318d \| Parse filename
2018-12-25T12:41:04.905037863Z	61	PC: 9fa13 \| Open file (Filename = 'A:\NCMAIN.EXE')
2018-12-25T12:41:04.913167434Z	75	PC: 13157 \| Execute program