Sample viewer

vx.netlux.org/Virus.DOS.Nostardamus.3584

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-17T22:45:12.144631275Z	42	PC: 12fc7 \| Get date 0x12fc7: inc al 0x12fc9: shl al, 1 0x12fcb: cmp dl, al 0x12fcd: jne 0x13002 0x12fcf: mov ah, 0x13 0x12fd1: int 0x2f 0x12fd3: push ds 0x12fd4: push dx 0x12fd5: mov ah, 0x13 0x12fd7: int 0x2f 0x12fd9: pop dx 0x12fda: pop ds 0x12fdb: mov ax, 0x2513 0x12fde: int 0x21 0x12fe0: mov cx, 1 0x12fe3: mov dx, 0x580 0x12fe6: mov ax, 0x308 0x12fe9: int 0x13 0x12feb: jb 0x12ffa 0x12fed: dec dh
2018-12-17T22:45:12.160536528Z	108	PC: 1301b \| Extended open/create file
2018-12-17T22:45:12.162512592Z	78	PC: 13042 \| Find first file
2018-12-17T22:45:12.16948436Z	47	PC: 13048 \| Get disk transfer address
2018-12-17T22:45:12.170940382Z	79	PC: 13077 \| Find next file
2018-12-17T22:45:12.174409439Z	47	PC: 13048 \| Get disk transfer address
2018-12-17T22:45:12.175745637Z	79	PC: 13077 \| Find next file
2018-12-17T22:45:12.178473109Z	47	PC: 13048 \| Get disk transfer address
2018-12-17T22:45:12.180121683Z	79	PC: 13077 \| Find next file
2018-12-17T22:45:12.182887032Z	47	PC: 13048 \| Get disk transfer address
2018-12-17T22:45:12.184300027Z	79	PC: 13077 \| Find next file
2018-12-17T22:45:12.187504191Z	47	PC: 13048 \| Get disk transfer address
2018-12-17T22:45:12.18881086Z	79	PC: 13077 \| Find next file
2018-12-17T22:45:12.191314219Z	78	PC: 13042 \| Find first file
2018-12-17T22:45:12.19362718Z	51	PC: 12a88 \| Get or set Ctrl-Break
2018-12-17T22:45:12.194923162Z	82	PC: 12a90 \| Get DOS internal pointers (SYSVARS)
2018-12-17T22:45:12.196392049Z	53	PC: 12b15 \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-17T22:45:12.198029756Z	82	PC: 12b23 \| Get DOS internal pointers (SYSVARS)
2018-12-17T22:45:12.200110724Z	37	PC: 12b52 \| Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-17T22:45:12.203655935Z	72	PC: 9f26c \| Allocate memory
2018-12-17T22:45:12.205513213Z	37	PC: 9f262 \| Set interrupt vector (Interrupt = '33' AKA 'Random read')

{"DateBased":true,"Day":1,"Month":1,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":8459,"SideJobID":0}

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T12:04:41.192504118Z	42	PC: 12fc7 \| Get date 0x12fc7: inc al 0x12fc9: shl al, 1 0x12fcb: cmp dl, al 0x12fcd: jne 0x13002 0x12fcf: mov ah, 0x13 0x12fd1: int 0x2f 0x12fd3: push ds 0x12fd4: push dx 0x12fd5: mov ah, 0x13 0x12fd7: int 0x2f 0x12fd9: pop dx 0x12fda: pop ds 0x12fdb: mov ax, 0x2513 0x12fde: int 0x21 0x12fe0: mov cx, 1 0x12fe3: mov dx, 0x580 0x12fe6: mov ax, 0x308 0x12fe9: int 0x13 0x12feb: jb 0x12ffa 0x12fed: dec dh
2018-12-25T12:04:41.221081798Z	108	PC: 1301b \| Extended open/create file
2018-12-25T12:04:41.225520928Z	78	PC: 13042 \| Find first file
2018-12-25T12:04:41.230929927Z	47	PC: 13048 \| Get disk transfer address
2018-12-25T12:04:41.232459642Z	79	PC: 13077 \| Find next file
2018-12-25T12:04:41.235564056Z	47	PC: 13048 \| Get disk transfer address (See above)
2018-12-25T12:04:41.236948161Z	79	PC: 13077 \| Find next file (See above)
2018-12-25T12:04:41.240083059Z	47	PC: 13048 \| Get disk transfer address (See above)
2018-12-25T12:04:41.241108049Z	79	PC: 13077 \| Find next file (See above)
2018-12-25T12:04:41.243377388Z	47	PC: 13048 \| Get disk transfer address (See above)
2018-12-25T12:04:41.244953477Z	79	PC: 13077 \| Find next file (See above)
2018-12-25T12:04:41.247227949Z	47	PC: 13048 \| Get disk transfer address (See above)
2018-12-25T12:04:41.248143316Z	79	PC: 13077 \| Find next file (See above)
2018-12-25T12:04:41.252829853Z	78	PC: 13042 \| Find first file (See above)
2018-12-25T12:04:41.257093369Z	51	PC: 12a88 \| Get or set Ctrl-Break
2018-12-25T12:04:41.257751038Z	82	PC: 12a90 \| Get DOS internal pointers (SYSVARS)
2018-12-25T12:04:41.258893743Z	53	PC: 12b15 \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T12:04:41.260133121Z	82	PC: 12b23 \| Get DOS internal pointers (SYSVARS)
2018-12-25T12:04:41.261019786Z	37	PC: 12b52 \| Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T12:04:41.263817297Z	72	PC: 9f26c \| Allocate memory
2018-12-25T12:04:41.265728965Z	37	PC: 9f262 \| Set interrupt vector (Interrupt = '33' AKA 'Random read')

{"DateBased":true,"Day":10,"Month":1,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":8459,"SideJobID":0}

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T12:04:42.135253998Z	42	PC: 12fc7 \| Get date 0x12fc7: inc al 0x12fc9: shl al, 1 0x12fcb: cmp dl, al 0x12fcd: jne 0x13002 0x12fcf: mov ah, 0x13 0x12fd1: int 0x2f 0x12fd3: push ds 0x12fd4: push dx 0x12fd5: mov ah, 0x13 0x12fd7: int 0x2f 0x12fd9: pop dx 0x12fda: pop ds 0x12fdb: mov ax, 0x2513 0x12fde: int 0x21 0x12fe0: mov cx, 1 0x12fe3: mov dx, 0x580 0x12fe6: mov ax, 0x308 0x12fe9: int 0x13 0x12feb: jb 0x12ffa 0x12fed: dec dh
2018-12-25T12:04:42.138304172Z	37	PC: 12fe0 \| Set interrupt vector (Interrupt = '19' AKA 'Delete file')