{"DateBased":false,"Day":0,"Month":0,"Year":0,"Hour":0,"Min":0,"Second":0,"TimeBased":true,"OriginalID":10844,"SideJobID":0}
.
GIF
Syscalls:
| Time | Syscall Op | Syscall Name |
|---|---|---|
| 2018-12-25T12:29:20.966596596Z | 48 | PC: 12aa2 | Get DOS version |
| 2018-12-25T12:29:20.96958701Z | 47 | PC: 12aae | Get disk transfer address |
| 2018-12-25T12:29:20.971414132Z | 26 | PC: 12ac1 | Set disk transfer address |
| 2018-12-25T12:29:20.973289023Z | 78 | PC: 12b4d | Find first file |
| 2018-12-25T12:29:20.980909806Z | 67 | PC: 12b8b | Get or set file attributes |
| 2018-12-25T12:29:20.988046361Z | 67 | PC: 12b9e | Get or set file attributes |
| 2018-12-25T12:29:21.005627028Z | 61 | PC: 12ba9 | Open file (Filename = 'SLEEP.COM') |
| 2018-12-25T12:29:21.014633235Z | 87 | PC: 12bb5 | Get or set file date and time |
| 2018-12-25T12:29:21.016492114Z | 44 | PC: 12bc1 | Get time 0x12bc1: and dh, 7 0x12bc4: jne 0x12bd6 0x12bc6: mov ah, 0x40 0x12bc8: mov cx, 5 0x12bcb: mov dx, si 0x12bcd: add dx, 0x8a 0x12bd1: int 0x21 0x12bd3: jmp 0x12c3a 0x12bd5: nop 0x12bd6: mov ah, 0x3f 0x12bd8: mov cx, 3 0x12bdb: mov dx, 0xa 0x12bde: nop 0x12bdf: add dx, si 0x12be1: int 0x21 0x12be3: jb 0x12c3a 0x12be5: cmp ax, 3 0x12be8: jne 0x12c3a 0x12bea: mov ax, 0x4202 0x12bed: mov cx, 0 |
| 2018-12-25T12:29:21.019039307Z | 63 | PC: 12be3 | Read file or device (Read 3 bytes on handle 5) |
| 2018-12-25T12:29:21.026701799Z | 66 | PC: 12bf5 | Move file pointer |
| 2018-12-25T12:29:21.029026291Z | 64 | PC: 12c19 | Write file or device (Write 648 bytes on handle 5) |
| 2018-12-25T12:29:21.038499163Z | 66 | PC: 12c2b | Move file pointer |
| 2018-12-25T12:29:21.041028037Z | 64 | PC: 12c3a | Write file or device (Write 3 bytes on handle 5) |
| 2018-12-25T12:29:21.0544375Z | 87 | PC: 12c4f | Get or set file date and time |
| 2018-12-25T12:29:21.056059832Z | 62 | PC: 12c53 | Close file |
| 2018-12-25T12:29:21.062504434Z | 67 | PC: 12c62 | Get or set file attributes |
| 2018-12-25T12:29:21.072813743Z | 26 | PC: 12c6f | Set disk transfer address |
| 2018-12-25T12:29:21.074289959Z | 9 | PC: 12a48 | Display string (String= 'This program only exists to become infected - COM version ') |
| 2018-12-25T12:29:21.078684687Z | 76 | PC: 12a4d | Terminate with return code (Return code = '0') |
{"DateBased":false,"Day":0,"Month":0,"Year":0,"Hour":0,"Min":0,"Second":7,"TimeBased":true,"OriginalID":10844,"SideJobID":0}
.
GIF
Syscalls:
| Time | Syscall Op | Syscall Name |
|---|---|---|
| 2018-12-25T12:29:21.290863113Z | 48 | PC: 12aa2 | Get DOS version |
| 2018-12-25T12:29:21.293662427Z | 47 | PC: 12aae | Get disk transfer address |
| 2018-12-25T12:29:21.294823075Z | 26 | PC: 12ac1 | Set disk transfer address |
| 2018-12-25T12:29:21.296035854Z | 78 | PC: 12b4d | Find first file |
| 2018-12-25T12:29:21.30332434Z | 67 | PC: 12b8b | Get or set file attributes |
| 2018-12-25T12:29:21.309107086Z | 67 | PC: 12b9e | Get or set file attributes |
| 2018-12-25T12:29:21.324495732Z | 61 | PC: 12ba9 | Open file (Filename = 'SLEEP.COM') |
| 2018-12-25T12:29:21.366606794Z | 87 | PC: 12bb5 | Get or set file date and time |
| 2018-12-25T12:29:21.368969201Z | 44 | PC: 12bc1 | Get time 0x12bc1: and dh, 7 0x12bc4: jne 0x12bd6 0x12bc6: mov ah, 0x40 0x12bc8: mov cx, 5 0x12bcb: mov dx, si 0x12bcd: add dx, 0x8a 0x12bd1: int 0x21 0x12bd3: jmp 0x12c3a 0x12bd5: nop 0x12bd6: mov ah, 0x3f 0x12bd8: mov cx, 3 0x12bdb: mov dx, 0xa 0x12bde: nop 0x12bdf: add dx, si 0x12be1: int 0x21 0x12be3: jb 0x12c3a 0x12be5: cmp ax, 3 0x12be8: jne 0x12c3a 0x12bea: mov ax, 0x4202 0x12bed: mov cx, 0 |
| 2018-12-25T12:29:21.372203488Z | 63 | PC: 12be3 | Read file or device (Read 3 bytes on handle 5) |
| 2018-12-25T12:29:21.379734782Z | 66 | PC: 12bf5 | Move file pointer |
| 2018-12-25T12:29:21.3830491Z | 64 | PC: 12c19 | Write file or device (Write 648 bytes on handle 5) |
| 2018-12-25T12:29:21.406995687Z | 66 | PC: 12c2b | Move file pointer |
| 2018-12-25T12:29:21.408455845Z | 64 | PC: 12c3a | Write file or device (Write 3 bytes on handle 5) |
| 2018-12-25T12:29:21.416199103Z | 87 | PC: 12c4f | Get or set file date and time |
| 2018-12-25T12:29:21.418023437Z | 62 | PC: 12c53 | Close file |
| 2018-12-25T12:29:21.425901576Z | 67 | PC: 12c62 | Get or set file attributes |
| 2018-12-25T12:29:21.436731094Z | 26 | PC: 12c6f | Set disk transfer address |
| 2018-12-25T12:29:21.438076563Z | 9 | PC: 12a48 | Display string (String= 'This program only exists to become infected - COM version ') |
| 2018-12-25T12:29:21.443704589Z | 76 | PC: 12a4d | Terminate with return code (Return code = '0') |