Sample viewer

vx.netlux.org/Virus.DOS.Wanderer_M.1845

.

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-17T22:09:53.211570587Z	255	PC: 130ce \| UNKNOWN!
2018-12-17T22:09:53.212902835Z	53	PC: 130d9 \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-17T22:09:53.214079105Z	240	PC: 13108 \| UNKNOWN!
2018-12-17T22:09:53.214987697Z	42	PC: 12f7e \| Get date 0x12f7e: cmp cx, 0x7cb 0x12f82: jne 0x12f94 0x12f84: cmp dh, 3 0x12f87: jne 0x12f94 0x12f89: cmp dl, 0x13 0x12f8c: jb 0x12f94 0x12f8e: mov byte ptr cs:[0x725], 1 0x12f94: call 0x13117 0x12f97: nop 0x12f98: mov word ptr cs:[0x6fa], es 0x12f9d: nop 0x12f9e: mov word ptr cs:[0x6fe], es 0x12fa3: mov word ptr cs:[0x702], es 0x12fa8: mov byte ptr cs:[0x7de], 0 0x12fae: mov cx, 0x7e0 0x12fb1: xor si, si 0x12fb3: push es 0x12fb4: pop ax 0x12fb5: add ax, 0x10 0x12fb8: mov es, ax
2018-12-17T22:09:53.218064614Z	74	PC: 12fdb \| Reallocate memory
2018-12-17T22:09:53.234248169Z	75	PC: 13027 \| Execute program
2018-12-17T22:09:53.248349938Z	255	PC: 13a3e \| UNKNOWN!
2018-12-17T22:09:53.24944888Z	53	PC: 13a49 \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-17T22:09:53.252160427Z	76	PC: 133b5 \| Terminate with return code (Return code = '0')
2018-12-17T22:09:53.256489053Z	73	PC: 12c58 \| Release memory
2018-12-17T22:09:53.257781779Z	44	PC: 13035 \| Get time 0x13035: cmp cl, 5 0x13038: je 0x13042 0x1303a: mov al, 0x31 0x1303c: mov dx, 0x8e 0x1303f: call 0x22c4f 0x13042: push cs 0x13043: pop ds 0x13044: push cs 0x13045: pop es 0x13046: call 0x22ae1 0x13049: and al, 2 0x1304b: cmp al, 2 0x1304d: jne 0x1307d 0x1304f: mov ah, 0x19 0x13051: int 0x21 0x13053: mov dl, al 0x13055: cmp dl, 2 0x13058: jb 0x1305d 0x1305a: add dl, 0x7e 0x1305d: mov ax, 0x309
2018-12-17T22:09:53.26037805Z	49	PC: 12c58 \| Terminate and stay resident (Return code = '44' \| Memory size = '142')

{"DateBased":true,"Day":1,"Month":1,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":true,"OriginalID":2225,"SideJobID":0}

.

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T11:45:14.312551026Z	255	PC: 130ce \| UNKNOWN!
2018-12-25T11:45:14.314662232Z	53	PC: 130d9 \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T11:45:14.315929337Z	240	PC: 13108 \| UNKNOWN!
2018-12-25T11:45:14.316686975Z	42	PC: 12f7e \| Get date 0x12f7e: cmp cx, 0x7cb 0x12f82: jne 0x12f94 0x12f84: cmp dh, 3 0x12f87: jne 0x12f94 0x12f89: cmp dl, 0x13 0x12f8c: jb 0x12f94 0x12f8e: mov byte ptr cs:[0x725], 1 0x12f94: call 0x13117 0x12f97: nop 0x12f98: mov word ptr cs:[0x6fa], es 0x12f9d: nop 0x12f9e: mov word ptr cs:[0x6fe], es 0x12fa3: mov word ptr cs:[0x702], es 0x12fa8: mov byte ptr cs:[0x7de], 0 0x12fae: mov cx, 0x7e0 0x12fb1: xor si, si 0x12fb3: push es 0x12fb4: pop ax 0x12fb5: add ax, 0x10 0x12fb8: mov es, ax
2018-12-25T11:45:14.31992026Z	74	PC: 12fdb \| Reallocate memory
2018-12-25T11:45:14.337726762Z	75	PC: 13027 \| Execute program
2018-12-25T11:45:14.355425659Z	255	PC: 13a3e \| UNKNOWN!
2018-12-25T11:45:14.359649895Z	53	PC: 13a49 \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T11:45:14.365064569Z	76	PC: 133b5 \| Terminate with return code (Return code = '0')
2018-12-25T11:45:14.368560703Z	73	PC: 12c58 \| Release memory
2018-12-25T11:45:14.370423839Z	44	PC: 13035 \| Get time 0x13035: cmp cl, 5 0x13038: je 0x13042 0x1303a: mov al, 0x31 0x1303c: mov dx, 0x8e 0x1303f: call 0x22c4f 0x13042: push cs 0x13043: pop ds 0x13044: push cs 0x13045: pop es 0x13046: call 0x22ae1 0x13049: and al, 2 0x1304b: cmp al, 2 0x1304d: jne 0x1307d 0x1304f: mov ah, 0x19 0x13051: int 0x21 0x13053: mov dl, al 0x13055: cmp dl, 2 0x13058: jb 0x1305d 0x1305a: add dl, 0x7e 0x1305d: mov ax, 0x309
2018-12-25T11:45:14.374196643Z	49	PC: 12c58 \| Terminate and stay resident (See above)

{"DateBased":true,"Day":1,"Month":1,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":true,"OriginalID":2225,"SideJobID":0}

.

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T13:06:49.199144621Z	255	PC: 130ce \| UNKNOWN!
2018-12-25T13:06:49.200307727Z	53	PC: 130d9 \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T13:06:49.201492789Z	240	PC: 13108 \| UNKNOWN!
2018-12-25T13:06:49.202335533Z	42	PC: 12f7e \| Get date 0x12f7e: cmp cx, 0x7cb 0x12f82: jne 0x12f94 0x12f84: cmp dh, 3 0x12f87: jne 0x12f94 0x12f89: cmp dl, 0x13 0x12f8c: jb 0x12f94 0x12f8e: mov byte ptr cs:[0x725], 1 0x12f94: call 0x13117 0x12f97: nop 0x12f98: mov word ptr cs:[0x6fa], es 0x12f9d: nop 0x12f9e: mov word ptr cs:[0x6fe], es 0x12fa3: mov word ptr cs:[0x702], es 0x12fa8: mov byte ptr cs:[0x7de], 0 0x12fae: mov cx, 0x7e0 0x12fb1: xor si, si 0x12fb3: push es 0x12fb4: pop ax 0x12fb5: add ax, 0x10 0x12fb8: mov es, ax
2018-12-25T13:06:49.204566857Z	74	PC: 12fdb \| Reallocate memory
2018-12-25T13:06:49.206244675Z	75	PC: 13027 \| Execute program
2018-12-25T13:06:49.215830469Z	255	PC: 13a3e \| UNKNOWN!
2018-12-25T13:06:49.216802786Z	53	PC: 13a49 \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T13:06:49.218493103Z	76	PC: 133b5 \| Terminate with return code (Return code = '0')
2018-12-25T13:06:49.220610186Z	73	PC: 12c58 \| Release memory
2018-12-25T13:06:49.221770573Z	44	PC: 13035 \| Get time 0x13035: cmp cl, 5 0x13038: je 0x13042 0x1303a: mov al, 0x31 0x1303c: mov dx, 0x8e 0x1303f: call 0x22c4f 0x13042: push cs 0x13043: pop ds 0x13044: push cs 0x13045: pop es 0x13046: call 0x22ae1 0x13049: and al, 2 0x1304b: cmp al, 2 0x1304d: jne 0x1307d 0x1304f: mov ah, 0x19 0x13051: int 0x21 0x13053: mov dl, al 0x13055: cmp dl, 2 0x13058: jb 0x1305d 0x1305a: add dl, 0x7e 0x1305d: mov ax, 0x309
2018-12-25T13:06:49.224191249Z	49	PC: 12c58 \| Terminate and stay resident (See above)

{"DateBased":true,"Day":1,"Month":1,"Year":1980,"Hour":0,"Min":5,"Second":0,"TimeBased":true,"OriginalID":2225,"SideJobID":0}

.

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T11:45:15.225022843Z	255	PC: 130ce \| UNKNOWN!
2018-12-25T11:45:15.226260786Z	53	PC: 130d9 \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T11:45:15.22744957Z	240	PC: 13108 \| UNKNOWN!
2018-12-25T11:45:15.228225601Z	42	PC: 12f7e \| Get date 0x12f7e: cmp cx, 0x7cb 0x12f82: jne 0x12f94 0x12f84: cmp dh, 3 0x12f87: jne 0x12f94 0x12f89: cmp dl, 0x13 0x12f8c: jb 0x12f94 0x12f8e: mov byte ptr cs:[0x725], 1 0x12f94: call 0x13117 0x12f97: nop 0x12f98: mov word ptr cs:[0x6fa], es 0x12f9d: nop 0x12f9e: mov word ptr cs:[0x6fe], es 0x12fa3: mov word ptr cs:[0x702], es 0x12fa8: mov byte ptr cs:[0x7de], 0 0x12fae: mov cx, 0x7e0 0x12fb1: xor si, si 0x12fb3: push es 0x12fb4: pop ax 0x12fb5: add ax, 0x10 0x12fb8: mov es, ax
2018-12-25T11:45:15.231863818Z	74	PC: 12fdb \| Reallocate memory
2018-12-25T11:45:15.23555111Z	75	PC: 13027 \| Execute program
2018-12-25T11:45:15.249680572Z	255	PC: 13a3e \| UNKNOWN!
2018-12-25T11:45:15.251501544Z	53	PC: 13a49 \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T11:45:15.25316361Z	76	PC: 133b5 \| Terminate with return code (Return code = '0')
2018-12-25T11:45:15.256700534Z	73	PC: 12c58 \| Release memory
2018-12-25T11:45:15.261395079Z	44	PC: 13035 \| Get time 0x13035: cmp cl, 5 0x13038: je 0x13042 0x1303a: mov al, 0x31 0x1303c: mov dx, 0x8e 0x1303f: call 0x22c4f 0x13042: push cs 0x13043: pop ds 0x13044: push cs 0x13045: pop es 0x13046: call 0x22ae1 0x13049: and al, 2 0x1304b: cmp al, 2 0x1304d: jne 0x1307d 0x1304f: mov ah, 0x19 0x13051: int 0x21 0x13053: mov dl, al 0x13055: cmp dl, 2 0x13058: jb 0x1305d 0x1305a: add dl, 0x7e 0x1305d: mov ax, 0x309
2018-12-25T11:45:15.263693401Z	25	PC: 13053 \| Get default drive

{"DateBased":true,"Day":1,"Month":1,"Year":1980,"Hour":0,"Min":5,"Second":0,"TimeBased":true,"OriginalID":2225,"SideJobID":0}

.

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T11:45:15.446813891Z	255	PC: 130ce \| UNKNOWN!
2018-12-25T11:45:15.448987265Z	53	PC: 130d9 \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T11:45:15.45058505Z	240	PC: 13108 \| UNKNOWN!
2018-12-25T11:45:15.451515733Z	42	PC: 12f7e \| Get date 0x12f7e: cmp cx, 0x7cb 0x12f82: jne 0x12f94 0x12f84: cmp dh, 3 0x12f87: jne 0x12f94 0x12f89: cmp dl, 0x13 0x12f8c: jb 0x12f94 0x12f8e: mov byte ptr cs:[0x725], 1 0x12f94: call 0x13117 0x12f97: nop 0x12f98: mov word ptr cs:[0x6fa], es 0x12f9d: nop 0x12f9e: mov word ptr cs:[0x6fe], es 0x12fa3: mov word ptr cs:[0x702], es 0x12fa8: mov byte ptr cs:[0x7de], 0 0x12fae: mov cx, 0x7e0 0x12fb1: xor si, si 0x12fb3: push es 0x12fb4: pop ax 0x12fb5: add ax, 0x10 0x12fb8: mov es, ax
2018-12-25T11:45:15.454864581Z	74	PC: 12fdb \| Reallocate memory
2018-12-25T11:45:15.45738652Z	75	PC: 13027 \| Execute program
2018-12-25T11:45:15.47297804Z	255	PC: 13a3e \| UNKNOWN!
2018-12-25T11:45:15.474035079Z	53	PC: 13a49 \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T11:45:15.476395805Z	76	PC: 133b5 \| Terminate with return code (Return code = '0')
2018-12-25T11:45:15.479878945Z	73	PC: 12c58 \| Release memory
2018-12-25T11:45:15.481468415Z	44	PC: 13035 \| Get time 0x13035: cmp cl, 5 0x13038: je 0x13042 0x1303a: mov al, 0x31 0x1303c: mov dx, 0x8e 0x1303f: call 0x22c4f 0x13042: push cs 0x13043: pop ds 0x13044: push cs 0x13045: pop es 0x13046: call 0x22ae1 0x13049: and al, 2 0x1304b: cmp al, 2 0x1304d: jne 0x1307d 0x1304f: mov ah, 0x19 0x13051: int 0x21 0x13053: mov dl, al 0x13055: cmp dl, 2 0x13058: jb 0x1305d 0x1305a: add dl, 0x7e 0x1305d: mov ax, 0x309