{"DateBased":true,"Day":14,"Month":2,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":10525,"SideJobID":0}
.
GIF
Syscalls:
| Time | Syscall Op | Syscall Name |
|---|---|---|
| 2018-12-25T12:28:16.68249222Z | 44 | PC: 12af9 | Get time 0x12af9: mov byte ptr cs:[bp + 0xe], dh 0x12afe: mov byte ptr cs:[bp + 0x680], 0xe 0x12b04: nop 0x12b05: call 0x12eb1 0x12b08: jae 0x12b10 0x12b0a: lea bx, word ptr [bp + 0x351] 0x12b0e: jmp bx 0x12b10: mov ah, 0x30 0x12b12: int 0x21 0x12b14: cmp ax, 4 0x12b17: jae 0x12b1f 0x12b19: lea bx, word ptr [bp + 0x351] 0x12b1d: jmp bx 0x12b1f: mov ah, 0x1a 0x12b21: lea dx, word ptr [bp + 0x6c0] 0x12b25: int 0x21 0x12b27: mov ah, 0x2a 0x12b29: int 0x21 0x12b2b: cmp dx, 0x20e 0x12b2f: je 0x12b37 |
| 2018-12-25T12:28:16.686225638Z | 82 | PC: 12eb5 | Get DOS internal pointers (SYSVARS) |
| 2018-12-25T12:28:16.687831639Z | 48 | PC: 12b14 | Get DOS version |
| 2018-12-25T12:28:16.689301355Z | 26 | PC: 12b27 | Set disk transfer address |
| 2018-12-25T12:28:16.69204205Z | 42 | PC: 12b2b | Get date 0x12b2b: cmp dx, 0x20e 0x12b2f: je 0x12b37 0x12b31: lea bx, word ptr [bp + 0x15e] 0x12b35: jmp bx 0x12b37: mov ah, 0x4e 0x12b39: lea dx, word ptr [bp + 0x5f5] 0x12b3d: mov cx, 0x10 0x12b40: int 0x21 0x12b42: jae 0x12b47 0x12b44: jmp 0x12bc9 0x12b47: mov ah, 0x47 0x12b49: mov dl, 0 0x12b4b: lea si, word ptr [bp + 0x5ff] 0x12b4f: int 0x21 0x12b51: mov ah, 0x3b 0x12b53: lea dx, word ptr [bp + 0x5f5] 0x12b57: int 0x21 0x12b59: jb 0x12bc9 0x12b5b: mov ah, 0x4e 0x12b5d: lea dx, word ptr [bp + 0x5f1] |
| 2018-12-25T12:28:16.694509578Z | 78 | PC: 12b42 | Find first file |
| 2018-12-25T12:28:16.700620912Z | 9 | PC: 12bd1 | Display string (Could not find end pointer) |
| 2018-12-25T12:28:16.801530519Z | 78 | PC: 12bed | Find first file |
| 2018-12-25T12:28:16.805865855Z | 61 | PC: 12c13 | Open file (Filename = 'Cleaning started...$,Done ! Virus removed. Have a nice day and sleep well! $*.exe') |
| 2018-12-25T12:28:16.81045776Z | 66 | PC: 12c58 | Move file pointer |
| 2018-12-25T12:28:16.81172464Z | 63 | PC: 12c66 | Read file or device (Read 32 bytes on handle 5) |
| 2018-12-25T12:28:16.814351924Z | 66 | PC: 12e71 | Move file pointer |
| 2018-12-25T12:28:16.815509345Z | 63 | PC: 12e7f | Read file or device (Read 1 bytes on handle 5) |
| 2018-12-25T12:28:16.817257142Z | 62 | PC: 12c35 | Close file |
| 2018-12-25T12:28:16.819549263Z | 79 | PC: 12c79 | Find next file |
| 2018-12-25T12:28:16.821649599Z | 26 | PC: 12dde | Set disk transfer address |
{"DateBased":true,"Day":1,"Month":1,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":10525,"SideJobID":0}
.
GIF
Syscalls:
| Time | Syscall Op | Syscall Name |
|---|---|---|
| 2018-12-25T12:28:16.761351647Z | 44 | PC: 12af9 | Get time 0x12af9: mov byte ptr cs:[bp + 0xe], dh 0x12afe: mov byte ptr cs:[bp + 0x680], 0xe 0x12b04: nop 0x12b05: call 0x12eb1 0x12b08: jae 0x12b10 0x12b0a: lea bx, word ptr [bp + 0x351] 0x12b0e: jmp bx 0x12b10: mov ah, 0x30 0x12b12: int 0x21 0x12b14: cmp ax, 4 0x12b17: jae 0x12b1f 0x12b19: lea bx, word ptr [bp + 0x351] 0x12b1d: jmp bx 0x12b1f: mov ah, 0x1a 0x12b21: lea dx, word ptr [bp + 0x6c0] 0x12b25: int 0x21 0x12b27: mov ah, 0x2a 0x12b29: int 0x21 0x12b2b: cmp dx, 0x20e 0x12b2f: je 0x12b37 |
| 2018-12-25T12:28:16.764068069Z | 82 | PC: 12eb5 | Get DOS internal pointers (SYSVARS) |
| 2018-12-25T12:28:16.765236514Z | 48 | PC: 12b14 | Get DOS version |
| 2018-12-25T12:28:16.766288865Z | 26 | PC: 12b27 | Set disk transfer address |
| 2018-12-25T12:28:16.767864742Z | 42 | PC: 12b2b | Get date 0x12b2b: cmp dx, 0x20e 0x12b2f: je 0x12b37 0x12b31: lea bx, word ptr [bp + 0x15e] 0x12b35: jmp bx 0x12b37: mov ah, 0x4e 0x12b39: lea dx, word ptr [bp + 0x5f5] 0x12b3d: mov cx, 0x10 0x12b40: int 0x21 0x12b42: jae 0x12b47 0x12b44: jmp 0x12bc9 0x12b47: mov ah, 0x47 0x12b49: mov dl, 0 0x12b4b: lea si, word ptr [bp + 0x5ff] 0x12b4f: int 0x21 0x12b51: mov ah, 0x3b 0x12b53: lea dx, word ptr [bp + 0x5f5] 0x12b57: int 0x21 0x12b59: jb 0x12bc9 0x12b5b: mov ah, 0x4e 0x12b5d: lea dx, word ptr [bp + 0x5f1] |
| 2018-12-25T12:28:16.770077089Z | 78 | PC: 12bed | Find first file |
| 2018-12-25T12:28:16.776187744Z | 61 | PC: 12c13 | Open file (Filename = 'Cleaning started...$,Done ! Virus removed. Have a nice day and sleep well! $*.exe') |
| 2018-12-25T12:28:16.784478099Z | 66 | PC: 12c58 | Move file pointer |
| 2018-12-25T12:28:16.786608212Z | 63 | PC: 12c66 | Read file or device (Read 32 bytes on handle 5) |
| 2018-12-25T12:28:16.789629008Z | 66 | PC: 12e71 | Move file pointer |
| 2018-12-25T12:28:16.791361683Z | 63 | PC: 12e7f | Read file or device (Read 1 bytes on handle 5) |
| 2018-12-25T12:28:16.794155748Z | 62 | PC: 12c35 | Close file |
| 2018-12-25T12:28:16.796059594Z | 79 | PC: 12c79 | Find next file |
| 2018-12-25T12:28:16.799652694Z | 26 | PC: 12dde | Set disk transfer address |