Sample viewer

vx.netlux.org/Virus.DOS.Wincom.667

.

GIF

Syscalls:

Time Syscall Op Syscall Name
2018-12-17T22:08:51.646924961Z 59 PC: 12e67 | Change current directory
2018-12-17T22:08:51.655865177Z 42 PC: 12f97 | Get date 0x12f97: cmp dh, 2
0x12f9a: jne 0x12fa1
0x12f9c: cmp dl, 2
0x12f9f: je 0x12fa4
0x12fa1: jmp 0x12f64
0x12fa4: mov ah, 0x3b
0x12fa6: mov dx, 0x38e
0x12fa9: int 0x21
0x12fab: mov ah, 0x4e
0x12fad: mov cx, 0x26
0x12fb0: lea dx, word ptr [0x341]
0x12fb4: int 0x21
0x12fb6: jae 0x12fc4
0x12fb8: jmp 0x12f64
0x12fbb: mov ah, 0x4f
0x12fbd: int 0x21
0x12fbf: jae 0x12fc4
0x12fc1: jmp 0x12f64
0x12fc4: mov ah, 0x2f
0x12fc6: int 0x21

{"DateBased":true,"Day":1,"Month":1,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":2105,"SideJobID":0}

.

GIF

Syscalls:

Time Syscall Op Syscall Name
2018-12-25T11:44:57.458153005Z 59 PC: 12e67 | Change current directory
2018-12-25T11:44:57.467323161Z 42 PC: 12f97 | Get date 0x12f97: cmp dh, 2
0x12f9a: jne 0x12fa1
0x12f9c: cmp dl, 2
0x12f9f: je 0x12fa4
0x12fa1: jmp 0x12f64
0x12fa4: mov ah, 0x3b
0x12fa6: mov dx, 0x38e
0x12fa9: int 0x21
0x12fab: mov ah, 0x4e
0x12fad: mov cx, 0x26
0x12fb0: lea dx, word ptr [0x341]
0x12fb4: int 0x21
0x12fb6: jae 0x12fc4
0x12fb8: jmp 0x12f64
0x12fbb: mov ah, 0x4f
0x12fbd: int 0x21
0x12fbf: jae 0x12fc4
0x12fc1: jmp 0x12f64
0x12fc4: mov ah, 0x2f
0x12fc6: int 0x21

{"DateBased":true,"Day":1,"Month":2,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":2105,"SideJobID":0}

.

GIF

Syscalls:

Time Syscall Op Syscall Name
2018-12-25T11:44:57.590355357Z 59 PC: 12e67 | Change current directory
2018-12-25T11:44:57.599937941Z 42 PC: 12f97 | Get date 0x12f97: cmp dh, 2
0x12f9a: jne 0x12fa1
0x12f9c: cmp dl, 2
0x12f9f: je 0x12fa4
0x12fa1: jmp 0x12f64
0x12fa4: mov ah, 0x3b
0x12fa6: mov dx, 0x38e
0x12fa9: int 0x21
0x12fab: mov ah, 0x4e
0x12fad: mov cx, 0x26
0x12fb0: lea dx, word ptr [0x341]
0x12fb4: int 0x21
0x12fb6: jae 0x12fc4
0x12fb8: jmp 0x12f64
0x12fbb: mov ah, 0x4f
0x12fbd: int 0x21
0x12fbf: jae 0x12fc4
0x12fc1: jmp 0x12f64
0x12fc4: mov ah, 0x2f
0x12fc6: int 0x21

{"DateBased":true,"Day":2,"Month":2,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":2105,"SideJobID":0}

.

GIF

Syscalls:

Time Syscall Op Syscall Name
2018-12-25T11:44:57.448525113Z 64 PC: 0 | Write file or device (Write 2 bytes on handle 1)
2018-12-25T11:44:57.454971914Z 41 PC: 94fae | Parse filename
2018-12-25T11:44:57.460082152Z 41 PC: 9502f | Parse filename
2018-12-25T11:44:57.463582344Z 41 PC: 9504c | Parse filename
2018-12-25T11:44:57.467999Z 26 PC: 984f7 | Set disk transfer address
2018-12-25T11:44:57.470735577Z 71 PC: 986f3 | Get current directory
2018-12-25T11:44:57.474410329Z 78 PC: 986fe | Find first file
2018-12-25T11:44:57.485553169Z 71 PC: 986f3 | Get current directory (See above)
2018-12-25T11:44:57.489620945Z 78 PC: 986fe | Find first file (See above)
2018-12-25T11:44:57.501142648Z 64 PC: 9a848 | Write file or device (Write 26 bytes on handle 2)
2018-12-25T11:44:57.507045465Z 37 PC: 123c4 | Set interrupt vector (Interrupt = '34' AKA 'Random write')
2018-12-25T11:44:57.509077543Z 37 PC: 123cb | Set interrupt vector (Interrupt = '35' AKA 'Get file size in records')
2018-12-25T11:44:57.511718434Z 37 PC: 123d2 | Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T11:44:57.513266472Z 62 PC: 122ab | Close file
2018-12-25T11:44:57.515194187Z 62 PC: 122ab | Close file (See above)
2018-12-25T11:44:57.523582279Z 62 PC: 122ab | Close file (See above)
2018-12-25T11:44:57.525236664Z 62 PC: 122ab | Close file (See above)
2018-12-25T11:44:57.527103051Z 62 PC: 122ab | Close file (See above)
2018-12-25T11:44:57.529767775Z 62 PC: 122ab | Close file (See above)
2018-12-25T11:44:57.531699649Z 62 PC: 122ab | Close file (See above)
2018-12-25T11:44:57.533682236Z 62 PC: 122ab | Close file (See above)
2018-12-25T11:44:57.536255752Z 62 PC: 122ab | Close file (See above)
2018-12-25T11:44:57.537995268Z 62 PC: 122ab | Close file (See above)
2018-12-25T11:44:57.539670395Z 62 PC: 122ab | Close file (See above)
2018-12-25T11:44:57.544344496Z 62 PC: 122ab | Close file (See above)
2018-12-25T11:44:57.546691627Z 62 PC: 122ab | Close file (See above)
2018-12-25T11:44:57.549077025Z 62 PC: 122ab | Close file (See above)
2018-12-25T11:44:57.551739535Z 62 PC: 122ab | Close file (See above)
2018-12-25T11:44:57.554428258Z 99 PC: 9a5d7 | Get DBCS lead byte table pointer
2018-12-25T11:44:57.556278875Z 56 PC: 94df9 | Get or set country info
2018-12-25T11:44:57.559417386Z 64 PC: 9a848 | Write file or device (See above)
2018-12-25T11:44:57.564397362Z 25 PC: 94e62 | Get default drive
2018-12-25T11:44:57.565989199Z 71 PC: 970dd | Get current directory
2018-12-25T11:44:57.570722785Z 64 PC: 9a848 | Write file or device (See above)
2018-12-25T11:44:57.574380794Z 2 PC: 970b2 | Character output (Char = '3e')
2018-12-25T11:44:57.576747073Z 93 PC: 94f20 | File sharing functions
2018-12-25T11:44:57.578513164Z 93 PC: 94f27 | File sharing functions
2018-12-25T11:44:57.581677866Z 10 PC: 94f39 | Buffered keyboard input
2018-12-25T11:45:12.495170332Z 0 PC: 0 | Program terminate (See above)
2018-12-25T11:45:13.860910698Z 0 PC: 0 | Program terminate (See above)
2018-12-25T11:45:13.963209231Z 64 PC: 9a848 | Write file or device (See above)
2018-12-25T11:45:13.969825927Z 41 PC: 94fae | Parse filename (See above)
2018-12-25T11:45:13.973485084Z 41 PC: 9502f | Parse filename (See above)
2018-12-25T11:45:13.976493691Z 41 PC: 9504c | Parse filename (See above)
2018-12-25T11:45:13.978685894Z 26 PC: 984f7 | Set disk transfer address (See above)
2018-12-25T11:45:13.98826613Z 71 PC: 986f3 | Get current directory (See above)
2018-12-25T11:45:13.993562924Z 78 PC: 986fe | Find first file (See above)
2018-12-25T11:45:14.002776744Z 71 PC: 9856c | Get current directory
2018-12-25T11:45:14.005703861Z 73 PC: 97c09 | Release memory
2018-12-25T11:45:14.006863675Z 75 PC: 11821 | Execute program
2018-12-25T11:45:14.017809959Z 9 PC: 12a47 | Display string (String= 'Hello, World! ')
2018-12-25T11:45:14.020906349Z 76 PC: 12a4b | Terminate with return code (Return code = '36')