Sample viewer

vx.netlux.org/Virus.DOS.Spanska_II.4249

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-17T22:57:16.591686922Z	105	PC: 12aff \| Get or set media id
2018-12-17T22:57:16.593217139Z	74	PC: 12b18 \| Reallocate memory
2018-12-17T22:57:16.596225755Z	74	PC: 12b29 \| Reallocate memory
2018-12-17T22:57:16.598014148Z	72	PC: 12b39 \| Allocate memory
2018-12-17T22:57:16.599567137Z	53	PC: 12b6a \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-17T22:57:16.603540988Z	37	PC: 12b84 \| Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-17T22:57:16.604875146Z	78	PC: 12f53 \| Find first file
2018-12-17T22:57:16.613847274Z	67	PC: 12f65 \| Get or set file attributes
2018-12-17T22:57:16.624290396Z	67	PC: 12f79 \| Get or set file attributes
2018-12-17T22:57:16.961315144Z	61	PC: 12f82 \| Open file (Filename = 'C:\WINDOWS\WIN.COM')
2018-12-17T22:57:16.970168468Z	87	PC: 12f97 \| Get or set file date and time
2018-12-17T22:57:16.973199617Z	63	PC: 12fad \| Read file or device (Read 4 bytes on handle 5)
2018-12-17T22:57:16.98138268Z	66	PC: 12ff3 \| Move file pointer
2018-12-17T22:57:16.983321205Z	42	PC: 13543 \| Get date 0x13543: xchg ax, dx 0x13544: xor ax, 0xffff 0x13547: xor dx, dx 0x13549: div bx 0x1354b: xchg ax, dx 0x1354c: pop cx 0x1354d: pop dx 0x1354e: pop bx 0x1354f: ret 0x13550: call 0x2353b 0x13553: mov cx, bx 0x13555: mul bx 0x13557: add si, ax 0x13559: rep movsb byte ptr es:[di], byte ptr [si] 0x1355b: ret 0x1355c: mov di, sp 0x1355e: call 0x13562 0x13561: ret 0x13562: dec di 0x13563: dec di
2018-12-17T22:57:16.986658328Z	42	PC: 13543 \| Get date 0x13543: xchg ax, dx 0x13544: xor ax, 0xffff 0x13547: xor dx, dx 0x13549: div bx 0x1354b: xchg ax, dx 0x1354c: pop cx 0x1354d: pop dx 0x1354e: pop bx 0x1354f: ret 0x13550: call 0x2353b 0x13553: mov cx, bx 0x13555: mul bx 0x13557: add si, ax 0x13559: rep movsb byte ptr es:[di], byte ptr [si] 0x1355b: ret 0x1355c: mov di, sp 0x1355e: call 0x13562 0x13561: ret 0x13562: dec di 0x13563: dec di
2018-12-17T22:57:16.98980788Z	42	PC: 13543 \| Get date 0x13543: xchg ax, dx 0x13544: xor ax, 0xffff 0x13547: xor dx, dx 0x13549: div bx 0x1354b: xchg ax, dx 0x1354c: pop cx 0x1354d: pop dx 0x1354e: pop bx 0x1354f: ret 0x13550: call 0x2353b 0x13553: mov cx, bx 0x13555: mul bx 0x13557: add si, ax 0x13559: rep movsb byte ptr es:[di], byte ptr [si] 0x1355b: ret 0x1355c: mov di, sp 0x1355e: call 0x13562 0x13561: ret 0x13562: dec di 0x13563: dec di
2018-12-17T22:57:16.992967429Z	42	PC: 13543 \| Get date 0x13543: xchg ax, dx 0x13544: xor ax, 0xffff 0x13547: xor dx, dx 0x13549: div bx 0x1354b: xchg ax, dx 0x1354c: pop cx 0x1354d: pop dx 0x1354e: pop bx 0x1354f: ret 0x13550: call 0x2353b 0x13553: mov cx, bx 0x13555: mul bx 0x13557: add si, ax 0x13559: rep movsb byte ptr es:[di], byte ptr [si] 0x1355b: ret 0x1355c: mov di, sp 0x1355e: call 0x13562 0x13561: ret 0x13562: dec di 0x13563: dec di
2018-12-17T22:57:16.996775158Z	42	PC: 13543 \| Get date 0x13543: xchg ax, dx 0x13544: xor ax, 0xffff 0x13547: xor dx, dx 0x13549: div bx 0x1354b: xchg ax, dx 0x1354c: pop cx 0x1354d: pop dx 0x1354e: pop bx 0x1354f: ret 0x13550: call 0x2353b 0x13553: mov cx, bx 0x13555: mul bx 0x13557: add si, ax 0x13559: rep movsb byte ptr es:[di], byte ptr [si] 0x1355b: ret 0x1355c: mov di, sp 0x1355e: call 0x13562 0x13561: ret 0x13562: dec di 0x13563: dec di
2018-12-17T22:57:17.001461458Z	42	PC: 13543 \| Get date 0x13543: xchg ax, dx 0x13544: xor ax, 0xffff 0x13547: xor dx, dx 0x13549: div bx 0x1354b: xchg ax, dx 0x1354c: pop cx 0x1354d: pop dx 0x1354e: pop bx 0x1354f: ret 0x13550: call 0x2353b 0x13553: mov cx, bx 0x13555: mul bx 0x13557: add si, ax 0x13559: rep movsb byte ptr es:[di], byte ptr [si] 0x1355b: ret 0x1355c: mov di, sp 0x1355e: call 0x13562 0x13561: ret 0x13562: dec di 0x13563: dec di
2018-12-17T22:57:17.005910121Z	42	PC: 13543 \| Get date 0x13543: xchg ax, dx 0x13544: xor ax, 0xffff 0x13547: xor dx, dx 0x13549: div bx 0x1354b: xchg ax, dx 0x1354c: pop cx 0x1354d: pop dx 0x1354e: pop bx 0x1354f: ret 0x13550: call 0x2353b 0x13553: mov cx, bx 0x13555: mul bx 0x13557: add si, ax 0x13559: rep movsb byte ptr es:[di], byte ptr [si] 0x1355b: ret 0x1355c: mov di, sp 0x1355e: call 0x13562 0x13561: ret 0x13562: dec di 0x13563: dec di
2018-12-17T22:57:17.008956037Z	42	PC: 13543 \| Get date 0x13543: xchg ax, dx 0x13544: xor ax, 0xffff 0x13547: xor dx, dx 0x13549: div bx 0x1354b: xchg ax, dx 0x1354c: pop cx 0x1354d: pop dx 0x1354e: pop bx 0x1354f: ret 0x13550: call 0x2353b 0x13553: mov cx, bx 0x13555: mul bx 0x13557: add si, ax 0x13559: rep movsb byte ptr es:[di], byte ptr [si] 0x1355b: ret 0x1355c: mov di, sp 0x1355e: call 0x13562 0x13561: ret 0x13562: dec di 0x13563: dec di
2018-12-17T22:57:17.013045666Z	42	PC: 13543 \| Get date 0x13543: xchg ax, dx 0x13544: xor ax, 0xffff 0x13547: xor dx, dx 0x13549: div bx 0x1354b: xchg ax, dx 0x1354c: pop cx 0x1354d: pop dx 0x1354e: pop bx 0x1354f: ret 0x13550: call 0x2353b 0x13553: mov cx, bx 0x13555: mul bx 0x13557: add si, ax 0x13559: rep movsb byte ptr es:[di], byte ptr [si] 0x1355b: ret 0x1355c: mov di, sp 0x1355e: call 0x13562 0x13561: ret 0x13562: dec di 0x13563: dec di
2018-12-17T22:57:17.016037009Z	42	PC: 13543 \| Get date 0x13543: xchg ax, dx 0x13544: xor ax, 0xffff 0x13547: xor dx, dx 0x13549: div bx 0x1354b: xchg ax, dx 0x1354c: pop cx 0x1354d: pop dx 0x1354e: pop bx 0x1354f: ret 0x13550: call 0x2353b 0x13553: mov cx, bx 0x13555: mul bx 0x13557: add si, ax 0x13559: rep movsb byte ptr es:[di], byte ptr [si] 0x1355b: ret 0x1355c: mov di, sp 0x1355e: call 0x13562 0x13561: ret 0x13562: dec di 0x13563: dec di
2018-12-17T22:57:17.019051066Z	42	PC: 13543 \| Get date 0x13543: xchg ax, dx 0x13544: xor ax, 0xffff 0x13547: xor dx, dx 0x13549: div bx 0x1354b: xchg ax, dx 0x1354c: pop cx 0x1354d: pop dx 0x1354e: pop bx 0x1354f: ret 0x13550: call 0x2353b 0x13553: mov cx, bx 0x13555: mul bx 0x13557: add si, ax 0x13559: rep movsb byte ptr es:[di], byte ptr [si] 0x1355b: ret 0x1355c: mov di, sp 0x1355e: call 0x13562 0x13561: ret 0x13562: dec di 0x13563: dec di
2018-12-17T22:57:17.022605348Z	42	PC: 13543 \| Get date 0x13543: xchg ax, dx 0x13544: xor ax, 0xffff 0x13547: xor dx, dx 0x13549: div bx 0x1354b: xchg ax, dx 0x1354c: pop cx 0x1354d: pop dx 0x1354e: pop bx 0x1354f: ret 0x13550: call 0x2353b 0x13553: mov cx, bx 0x13555: mul bx 0x13557: add si, ax 0x13559: rep movsb byte ptr es:[di], byte ptr [si] 0x1355b: ret 0x1355c: mov di, sp 0x1355e: call 0x13562 0x13561: ret 0x13562: dec di 0x13563: dec di
2018-12-17T22:57:17.026153478Z	42	PC: 13543 \| Get date 0x13543: xchg ax, dx 0x13544: xor ax, 0xffff 0x13547: xor dx, dx 0x13549: div bx 0x1354b: xchg ax, dx 0x1354c: pop cx 0x1354d: pop dx 0x1354e: pop bx 0x1354f: ret 0x13550: call 0x2353b 0x13553: mov cx, bx 0x13555: mul bx 0x13557: add si, ax 0x13559: rep movsb byte ptr es:[di], byte ptr [si] 0x1355b: ret 0x1355c: mov di, sp 0x1355e: call 0x13562 0x13561: ret 0x13562: dec di 0x13563: dec di
2018-12-17T22:57:17.029168757Z	42	PC: 13543 \| Get date 0x13543: xchg ax, dx 0x13544: xor ax, 0xffff 0x13547: xor dx, dx 0x13549: div bx 0x1354b: xchg ax, dx 0x1354c: pop cx 0x1354d: pop dx 0x1354e: pop bx 0x1354f: ret 0x13550: call 0x2353b 0x13553: mov cx, bx 0x13555: mul bx 0x13557: add si, ax 0x13559: rep movsb byte ptr es:[di], byte ptr [si] 0x1355b: ret 0x1355c: mov di, sp 0x1355e: call 0x13562 0x13561: ret 0x13562: dec di 0x13563: dec di
2018-12-17T22:57:17.032975313Z	42	PC: 13543 \| Get date 0x13543: xchg ax, dx 0x13544: xor ax, 0xffff 0x13547: xor dx, dx 0x13549: div bx 0x1354b: xchg ax, dx 0x1354c: pop cx 0x1354d: pop dx 0x1354e: pop bx 0x1354f: ret 0x13550: call 0x2353b 0x13553: mov cx, bx 0x13555: mul bx 0x13557: add si, ax 0x13559: rep movsb byte ptr es:[di], byte ptr [si] 0x1355b: ret 0x1355c: mov di, sp 0x1355e: call 0x13562 0x13561: ret 0x13562: dec di 0x13563: dec di
2018-12-17T22:57:17.036012202Z	42	PC: 13543 \| Get date 0x13543: xchg ax, dx 0x13544: xor ax, 0xffff 0x13547: xor dx, dx 0x13549: div bx 0x1354b: xchg ax, dx 0x1354c: pop cx 0x1354d: pop dx 0x1354e: pop bx 0x1354f: ret 0x13550: call 0x2353b 0x13553: mov cx, bx 0x13555: mul bx 0x13557: add si, ax 0x13559: rep movsb byte ptr es:[di], byte ptr [si] 0x1355b: ret 0x1355c: mov di, sp 0x1355e: call 0x13562 0x13561: ret 0x13562: dec di 0x13563: dec di
2018-12-17T22:57:17.038961497Z	44	PC: 134d9 \| Get time 0x134d9: mov byte ptr cs:[bp + 0x11c7], dl 0x134de: lea si, word ptr [bp + 0x1b6] 0x134e2: lea di, word ptr [bp + 0x11c8] 0x134e6: mov cx, 0x1011 0x134e9: mov al, byte ptr cs:[bp + 0x11c6] 0x134ee: cmp al, 0 0x134f0: je 0x1352a 0x134f2: cmp al, 1 0x134f4: je 0x13522 0x134f6: cmp al, 2 0x134f8: je 0x1351a 0x134fa: cmp al, 3 0x134fc: je 0x13512 0x134fe: cmp al, 4 0x13500: je 0x1350a 0x13502: lodsb al, byte ptr [si] 0x13503: neg al 0x13505: stosb byte ptr es:[di], al 0x13506: loop 0x13502 0x13508: jmp 0x13530
2018-12-17T22:57:17.04317066Z	64	PC: 1300e \| Write file or device (Write 135 bytes on handle 5)
2018-12-17T22:57:17.050633299Z	64	PC: 13022 \| Write file or device (Write 4114 bytes on handle 5)
2018-12-17T22:57:17.061868681Z	66	PC: 13039 \| Move file pointer
2018-12-17T22:57:17.063669226Z	64	PC: 1304d \| Write file or device (Write 4 bytes on handle 5)
2018-12-17T22:57:17.067331612Z	87	PC: 1306a \| Get or set file date and time
2018-12-17T22:57:17.069377207Z	62	PC: 1306e \| Close file
2018-12-17T22:57:17.07776191Z	67	PC: 13084 \| Get or set file attributes
2018-12-17T22:57:17.083656211Z	44	PC: 12ede \| Get time 0x12ede: cmp cl, 0x1e 0x12ee1: jne 0x12eeb 0x12ee3: cmp dh, 0xf 0x12ee6: ja 0x12eeb 0x12ee8: jmp 0x13091 0x12eeb: cmp byte ptr cs:[0], 0xcd 0x12ef1: je 0x12f17 0x12ef3: mov ax, es 0x12ef5: add ax, 0x10 0x12ef8: add word ptr cs:[bp + 0x5d1], ax 0x12efd: cli 0x12efe: add ax, word ptr cs:[bp + 0x5d3] 0x12f03: mov ss, ax 0x12f05: mov sp, word ptr cs:[bp + 0x5d5] 0x12f0a: sti 0x12f0b: call 0x12f32 0x12f0e: ljmp 0x9090:0x9090 0x12f13: nop 0x12f14: nop 0x12f15: nop
2018-12-17T22:57:17.086435206Z	9	PC: 12a4b \| Display string (String= '------Fake host execution-----')
2018-12-17T22:57:17.089385452Z	76	PC: 12a50 \| Terminate with return code (Return code = '0')

{"DateBased":false,"Day":0,"Month":0,"Year":0,"Hour":0,"Min":0,"Second":0,"TimeBased":true,"OriginalID":12500,"SideJobID":0}

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T12:35:32.204728421Z	105	PC: 12aff \| Get or set media id
2018-12-25T12:35:32.206965441Z	74	PC: 12b18 \| Reallocate memory
2018-12-25T12:35:32.209304104Z	74	PC: 12b29 \| Reallocate memory
2018-12-25T12:35:32.212029703Z	72	PC: 12b39 \| Allocate memory
2018-12-25T12:35:32.214129427Z	53	PC: 12b6a \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T12:35:32.216643874Z	37	PC: 12b84 \| Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T12:35:32.218700192Z	78	PC: 12f53 \| Find first file
2018-12-25T12:35:32.229835784Z	67	PC: 12f65 \| Get or set file attributes
2018-12-25T12:35:32.237051723Z	67	PC: 12f79 \| Get or set file attributes
2018-12-25T12:35:32.583175405Z	61	PC: 12f82 \| Open file (Filename = 'C:\WINDOWS\WIN.COM')
2018-12-25T12:35:32.591628385Z	87	PC: 12f97 \| Get or set file date and time
2018-12-25T12:35:32.594296588Z	63	PC: 12fad \| Read file or device (Read 4 bytes on handle 5)
2018-12-25T12:35:32.606336758Z	66	PC: 12ff3 \| Move file pointer
2018-12-25T12:35:32.608597328Z	42	PC: 13543 \| Get date 0x13543: xchg ax, dx 0x13544: xor ax, 0xffff 0x13547: xor dx, dx 0x13549: div bx 0x1354b: xchg ax, dx 0x1354c: pop cx 0x1354d: pop dx 0x1354e: pop bx 0x1354f: ret 0x13550: call 0x2353b 0x13553: mov cx, bx 0x13555: mul bx 0x13557: add si, ax 0x13559: rep movsb byte ptr es:[di], byte ptr [si] 0x1355b: ret 0x1355c: mov di, sp 0x1355e: call 0x13562 0x13561: ret 0x13562: dec di 0x13563: dec di
2018-12-25T12:35:32.611762085Z	42	PC: 13543 \| Get date (See above)
2018-12-25T12:35:32.616669737Z	42	PC: 13543 \| Get date (See above)
2018-12-25T12:35:32.620260945Z	42	PC: 13543 \| Get date (See above)
2018-12-25T12:35:32.622958468Z	42	PC: 13543 \| Get date (See above)
2018-12-25T12:35:32.626825924Z	42	PC: 13543 \| Get date (See above)
2018-12-25T12:35:32.629467978Z	42	PC: 13543 \| Get date (See above)
2018-12-25T12:35:32.632147474Z	42	PC: 13543 \| Get date (See above)
2018-12-25T12:35:32.649694369Z	42	PC: 13543 \| Get date (See above)
2018-12-25T12:35:32.653657432Z	42	PC: 13543 \| Get date (See above)
2018-12-25T12:35:32.657509487Z	42	PC: 13543 \| Get date (See above)
2018-12-25T12:35:32.66204083Z	42	PC: 13543 \| Get date (See above)
2018-12-25T12:35:32.665467065Z	42	PC: 13543 \| Get date (See above)
2018-12-25T12:35:32.668211487Z	42	PC: 13543 \| Get date (See above)
2018-12-25T12:35:32.670935965Z	42	PC: 13543 \| Get date (See above)
2018-12-25T12:35:32.674572398Z	42	PC: 13543 \| Get date (See above)
2018-12-25T12:35:32.677799315Z	44	PC: 134d9 \| Get time 0x134d9: mov byte ptr cs:[bp + 0x11c7], dl 0x134de: lea si, word ptr [bp + 0x1b6] 0x134e2: lea di, word ptr [bp + 0x11c8] 0x134e6: mov cx, 0x1011 0x134e9: mov al, byte ptr cs:[bp + 0x11c6] 0x134ee: cmp al, 0 0x134f0: je 0x1352a 0x134f2: cmp al, 1 0x134f4: je 0x13522 0x134f6: cmp al, 2 0x134f8: je 0x1351a 0x134fa: cmp al, 3 0x134fc: je 0x13512 0x134fe: cmp al, 4 0x13500: je 0x1350a 0x13502: lodsb al, byte ptr [si] 0x13503: neg al 0x13505: stosb byte ptr es:[di], al 0x13506: loop 0x13502 0x13508: jmp 0x13530
2018-12-25T12:35:32.681207493Z	64	PC: 1300e \| Write file or device (Write 135 bytes on handle 5)
2018-12-25T12:35:32.689367713Z	64	PC: 13022 \| Write file or device (Write 4114 bytes on handle 5)
2018-12-25T12:35:32.701771554Z	66	PC: 13039 \| Move file pointer
2018-12-25T12:35:32.703578846Z	64	PC: 1304d \| Write file or device (Write 4 bytes on handle 5)
2018-12-25T12:35:32.70776624Z	87	PC: 1306a \| Get or set file date and time
2018-12-25T12:35:32.709962546Z	62	PC: 1306e \| Close file
2018-12-25T12:35:32.721447332Z	67	PC: 13084 \| Get or set file attributes
2018-12-25T12:35:32.727914472Z	44	PC: 12ede \| Get time 0x12ede: cmp cl, 0x1e 0x12ee1: jne 0x12eeb 0x12ee3: cmp dh, 0xf 0x12ee6: ja 0x12eeb 0x12ee8: jmp 0x13091 0x12eeb: cmp byte ptr cs:[0], 0xcd 0x12ef1: je 0x12f17 0x12ef3: mov ax, es 0x12ef5: add ax, 0x10 0x12ef8: add word ptr cs:[bp + 0x5d1], ax 0x12efd: cli 0x12efe: add ax, word ptr cs:[bp + 0x5d3] 0x12f03: mov ss, ax 0x12f05: mov sp, word ptr cs:[bp + 0x5d5] 0x12f0a: sti 0x12f0b: call 0x12f32 0x12f0e: ljmp 0x9090:0x9090 0x12f13: nop 0x12f14: nop 0x12f15: nop
2018-12-25T12:35:32.731133642Z	9	PC: 12a4b \| Display string (String= '------Fake host execution-----')
2018-12-25T12:35:32.734310629Z	76	PC: 12a50 \| Terminate with return code (Return code = '0')

{"DateBased":false,"Day":0,"Month":0,"Year":0,"Hour":0,"Min":30,"Second":0,"TimeBased":true,"OriginalID":12500,"SideJobID":0}

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T12:35:32.350027406Z	105	PC: 12aff \| Get or set media id
2018-12-25T12:35:32.367615175Z	74	PC: 12b18 \| Reallocate memory
2018-12-25T12:35:32.373129494Z	74	PC: 12b29 \| Reallocate memory
2018-12-25T12:35:32.374932952Z	72	PC: 12b39 \| Allocate memory
2018-12-25T12:35:32.37755728Z	53	PC: 12b6a \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T12:35:32.379494159Z	37	PC: 12b84 \| Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T12:35:32.380901146Z	78	PC: 12f53 \| Find first file
2018-12-25T12:35:32.391123622Z	67	PC: 12f65 \| Get or set file attributes
2018-12-25T12:35:32.397805801Z	67	PC: 12f79 \| Get or set file attributes
2018-12-25T12:35:32.742599508Z	61	PC: 12f82 \| Open file (Filename = 'C:\WINDOWS\WIN.COM')
2018-12-25T12:35:32.751120719Z	87	PC: 12f97 \| Get or set file date and time
2018-12-25T12:35:32.762108726Z	63	PC: 12fad \| Read file or device (Read 4 bytes on handle 5)
2018-12-25T12:35:32.768349942Z	66	PC: 12ff3 \| Move file pointer
2018-12-25T12:35:32.76979851Z	42	PC: 13543 \| Get date 0x13543: xchg ax, dx 0x13544: xor ax, 0xffff 0x13547: xor dx, dx 0x13549: div bx 0x1354b: xchg ax, dx 0x1354c: pop cx 0x1354d: pop dx 0x1354e: pop bx 0x1354f: ret 0x13550: call 0x2353b 0x13553: mov cx, bx 0x13555: mul bx 0x13557: add si, ax 0x13559: rep movsb byte ptr es:[di], byte ptr [si] 0x1355b: ret 0x1355c: mov di, sp 0x1355e: call 0x13562 0x13561: ret 0x13562: dec di 0x13563: dec di
2018-12-25T12:35:32.777368914Z	42	PC: 13543 \| Get date (See above)
2018-12-25T12:35:32.779241436Z	42	PC: 13543 \| Get date (See above)
2018-12-25T12:35:32.780882648Z	42	PC: 13543 \| Get date (See above)
2018-12-25T12:35:32.783394292Z	42	PC: 13543 \| Get date (See above)
2018-12-25T12:35:32.785270159Z	42	PC: 13543 \| Get date (See above)
2018-12-25T12:35:32.786881881Z	42	PC: 13543 \| Get date (See above)
2018-12-25T12:35:32.798670533Z	42	PC: 13543 \| Get date (See above)
2018-12-25T12:35:32.800625573Z	42	PC: 13543 \| Get date (See above)
2018-12-25T12:35:32.802687587Z	42	PC: 13543 \| Get date (See above)
2018-12-25T12:35:32.80634017Z	42	PC: 13543 \| Get date (See above)
2018-12-25T12:35:32.808336797Z	42	PC: 13543 \| Get date (See above)
2018-12-25T12:35:32.810080958Z	42	PC: 13543 \| Get date (See above)
2018-12-25T12:35:32.81266801Z	42	PC: 13543 \| Get date (See above)
2018-12-25T12:35:32.815696991Z	42	PC: 13543 \| Get date (See above)
2018-12-25T12:35:32.818284265Z	42	PC: 13543 \| Get date (See above)
2018-12-25T12:35:32.82138998Z	44	PC: 134d9 \| Get time 0x134d9: mov byte ptr cs:[bp + 0x11c7], dl 0x134de: lea si, word ptr [bp + 0x1b6] 0x134e2: lea di, word ptr [bp + 0x11c8] 0x134e6: mov cx, 0x1011 0x134e9: mov al, byte ptr cs:[bp + 0x11c6] 0x134ee: cmp al, 0 0x134f0: je 0x1352a 0x134f2: cmp al, 1 0x134f4: je 0x13522 0x134f6: cmp al, 2 0x134f8: je 0x1351a 0x134fa: cmp al, 3 0x134fc: je 0x13512 0x134fe: cmp al, 4 0x13500: je 0x1350a 0x13502: lodsb al, byte ptr [si] 0x13503: neg al 0x13505: stosb byte ptr es:[di], al 0x13506: loop 0x13502 0x13508: jmp 0x13530
2018-12-25T12:35:32.824382381Z	64	PC: 1300e \| Write file or device (Write 135 bytes on handle 5)
2018-12-25T12:35:32.830937077Z	64	PC: 13022 \| Write file or device (Write 4114 bytes on handle 5)
2018-12-25T12:35:32.843873029Z	66	PC: 13039 \| Move file pointer
2018-12-25T12:35:32.84540687Z	64	PC: 1304d \| Write file or device (Write 4 bytes on handle 5)
2018-12-25T12:35:32.848388787Z	87	PC: 1306a \| Get or set file date and time
2018-12-25T12:35:32.850919994Z	62	PC: 1306e \| Close file
2018-12-25T12:35:32.858633972Z	67	PC: 13084 \| Get or set file attributes
2018-12-25T12:35:32.864540119Z	44	PC: 12ede \| Get time 0x12ede: cmp cl, 0x1e 0x12ee1: jne 0x12eeb 0x12ee3: cmp dh, 0xf 0x12ee6: ja 0x12eeb 0x12ee8: jmp 0x13091 0x12eeb: cmp byte ptr cs:[0], 0xcd 0x12ef1: je 0x12f17 0x12ef3: mov ax, es 0x12ef5: add ax, 0x10 0x12ef8: add word ptr cs:[bp + 0x5d1], ax 0x12efd: cli 0x12efe: add ax, word ptr cs:[bp + 0x5d3] 0x12f03: mov ss, ax 0x12f05: mov sp, word ptr cs:[bp + 0x5d5] 0x12f0a: sti 0x12f0b: call 0x12f32 0x12f0e: ljmp 0x9090:0x9090 0x12f13: nop 0x12f14: nop 0x12f15: nop
2018-12-25T12:35:32.883588969Z	42	PC: 13543 \| Get date (See above)

{"DateBased":false,"Day":0,"Month":0,"Year":0,"Hour":0,"Min":30,"Second":16,"TimeBased":true,"OriginalID":12500,"SideJobID":0}

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T12:35:32.877422312Z	105	PC: 12aff \| Get or set media id
2018-12-25T12:35:32.879838145Z	74	PC: 12b18 \| Reallocate memory
2018-12-25T12:35:32.881527183Z	74	PC: 12b29 \| Reallocate memory
2018-12-25T12:35:32.882929892Z	72	PC: 12b39 \| Allocate memory
2018-12-25T12:35:32.88492596Z	53	PC: 12b6a \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T12:35:32.886227986Z	37	PC: 12b84 \| Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T12:35:32.887729191Z	78	PC: 12f53 \| Find first file
2018-12-25T12:35:32.897475184Z	67	PC: 12f65 \| Get or set file attributes
2018-12-25T12:35:32.901725752Z	67	PC: 12f79 \| Get or set file attributes
2018-12-25T12:35:33.206821503Z	61	PC: 12f82 \| Open file (Filename = 'C:\WINDOWS\WIN.COM')
2018-12-25T12:35:33.216845696Z	87	PC: 12f97 \| Get or set file date and time
2018-12-25T12:35:33.21868777Z	63	PC: 12fad \| Read file or device (Read 4 bytes on handle 5)
2018-12-25T12:35:33.227238049Z	66	PC: 12ff3 \| Move file pointer
2018-12-25T12:35:33.228838621Z	42	PC: 13543 \| Get date 0x13543: xchg ax, dx 0x13544: xor ax, 0xffff 0x13547: xor dx, dx 0x13549: div bx 0x1354b: xchg ax, dx 0x1354c: pop cx 0x1354d: pop dx 0x1354e: pop bx 0x1354f: ret 0x13550: call 0x2353b 0x13553: mov cx, bx 0x13555: mul bx 0x13557: add si, ax 0x13559: rep movsb byte ptr es:[di], byte ptr [si] 0x1355b: ret 0x1355c: mov di, sp 0x1355e: call 0x13562 0x13561: ret 0x13562: dec di 0x13563: dec di
2018-12-25T12:35:33.23435464Z	42	PC: 13543 \| Get date (See above)
2018-12-25T12:35:33.238280839Z	42	PC: 13543 \| Get date (See above)
2018-12-25T12:35:33.241316355Z	42	PC: 13543 \| Get date (See above)
2018-12-25T12:35:33.244303912Z	42	PC: 13543 \| Get date (See above)
2018-12-25T12:35:33.246703918Z	42	PC: 13543 \| Get date (See above)
2018-12-25T12:35:33.249932969Z	42	PC: 13543 \| Get date (See above)
2018-12-25T12:35:33.252444294Z	42	PC: 13543 \| Get date (See above)
2018-12-25T12:35:33.25918627Z	42	PC: 13543 \| Get date (See above)
2018-12-25T12:35:33.261234382Z	42	PC: 13543 \| Get date (See above)
2018-12-25T12:35:33.267071375Z	42	PC: 13543 \| Get date (See above)
2018-12-25T12:35:33.269340112Z	42	PC: 13543 \| Get date (See above)
2018-12-25T12:35:33.272759095Z	42	PC: 13543 \| Get date (See above)
2018-12-25T12:35:33.275329903Z	42	PC: 13543 \| Get date (See above)
2018-12-25T12:35:33.277768732Z	42	PC: 13543 \| Get date (See above)
2018-12-25T12:35:33.28021643Z	42	PC: 13543 \| Get date (See above)
2018-12-25T12:35:33.287691909Z	44	PC: 134d9 \| Get time 0x134d9: mov byte ptr cs:[bp + 0x11c7], dl 0x134de: lea si, word ptr [bp + 0x1b6] 0x134e2: lea di, word ptr [bp + 0x11c8] 0x134e6: mov cx, 0x1011 0x134e9: mov al, byte ptr cs:[bp + 0x11c6] 0x134ee: cmp al, 0 0x134f0: je 0x1352a 0x134f2: cmp al, 1 0x134f4: je 0x13522 0x134f6: cmp al, 2 0x134f8: je 0x1351a 0x134fa: cmp al, 3 0x134fc: je 0x13512 0x134fe: cmp al, 4 0x13500: je 0x1350a 0x13502: lodsb al, byte ptr [si] 0x13503: neg al 0x13505: stosb byte ptr es:[di], al 0x13506: loop 0x13502 0x13508: jmp 0x13530
2018-12-25T12:35:33.291488169Z	64	PC: 1300e \| Write file or device (Write 135 bytes on handle 5)
2018-12-25T12:35:33.298323502Z	64	PC: 13022 \| Write file or device (Write 4114 bytes on handle 5)
2018-12-25T12:35:33.308870706Z	66	PC: 13039 \| Move file pointer
2018-12-25T12:35:33.310636648Z	64	PC: 1304d \| Write file or device (Write 4 bytes on handle 5)
2018-12-25T12:35:33.312559065Z	87	PC: 1306a \| Get or set file date and time
2018-12-25T12:35:33.313795711Z	62	PC: 1306e \| Close file
2018-12-25T12:35:33.318842117Z	67	PC: 13084 \| Get or set file attributes
2018-12-25T12:35:33.32262882Z	44	PC: 12ede \| Get time 0x12ede: cmp cl, 0x1e 0x12ee1: jne 0x12eeb 0x12ee3: cmp dh, 0xf 0x12ee6: ja 0x12eeb 0x12ee8: jmp 0x13091 0x12eeb: cmp byte ptr cs:[0], 0xcd 0x12ef1: je 0x12f17 0x12ef3: mov ax, es 0x12ef5: add ax, 0x10 0x12ef8: add word ptr cs:[bp + 0x5d1], ax 0x12efd: cli 0x12efe: add ax, word ptr cs:[bp + 0x5d3] 0x12f03: mov ss, ax 0x12f05: mov sp, word ptr cs:[bp + 0x5d5] 0x12f0a: sti 0x12f0b: call 0x12f32 0x12f0e: ljmp 0x9090:0x9090 0x12f13: nop 0x12f14: nop 0x12f15: nop
2018-12-25T12:35:33.324305761Z	9	PC: 12a4b \| Display string (String= '------Fake host execution-----')
2018-12-25T12:35:33.326498774Z	76	PC: 12a50 \| Terminate with return code (Return code = '0')