{"DateBased":true,"Day":1,"Month":1,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":true,"OriginalID":15998,"SideJobID":0}
.
GIF
Syscalls:
| Time | Syscall Op | Syscall Name |
|---|---|---|
| 2018-12-25T12:45:04.013451605Z | 53 | PC: 12b3f | Get interrupt vector (Interrupt = '36' AKA 'Set random record number') |
| 2018-12-25T12:45:04.014952579Z | 37 | PC: 12b51 | Set interrupt vector (Interrupt = '36' AKA 'Set random record number') |
| 2018-12-25T12:45:04.016142729Z | 71 | PC: 12b5c | Get current directory |
| 2018-12-25T12:45:04.019178029Z | 25 | PC: 12b61 | Get default drive |
| 2018-12-25T12:45:04.020796812Z | 26 | PC: 12b88 | Set disk transfer address |
| 2018-12-25T12:45:04.022151602Z | 42 | PC: 12b8c | Get date 0x12b8c: cmp dx, 0x202 0x12b90: jne 0x12b95 0x12b92: jmp 0x12d53 0x12b95: mov ah, 0x4e 0x12b97: lea dx, word ptr [si + 0x438] 0x12b9b: mov cx, 7 0x12b9e: int 0x21 0x12ba0: jae 0x12be6 0x12ba2: mov ah, 0x1a 0x12ba4: lea dx, word ptr [si + 0x518] 0x12ba8: int 0x21 0x12baa: mov ah, 0x3b 0x12bac: lea dx, word ptr [si + 0x442] 0x12bb0: int 0x21 0x12bb2: jb 0x12bb6 0x12bb4: jmp 0x12b80 0x12bb6: cmp byte ptr [si + 0x45d], 1 0x12bbb: je 0x12bd6 0x12bbd: mov al, 1 0x12bbf: mov byte ptr [si + 0x45d], al |
| 2018-12-25T12:45:04.024521444Z | 78 | PC: 12ba0 | Find first file |
| 2018-12-25T12:45:04.031120775Z | 67 | PC: 12bf9 | Get or set file attributes |
| 2018-12-25T12:45:04.82828021Z | 61 | PC: 12da1 | Open file (Filename = 'SLEEP.COM') |
| 2018-12-25T12:45:04.835774768Z | 63 | PC: 12c20 | Read file or device (Read 4 bytes on handle 5) |
| 2018-12-25T12:45:04.842885406Z | 66 | PC: 12d97 | Move file pointer |
| 2018-12-25T12:45:04.845430222Z | 44 | PC: 12c8b | Get time 0x12c8b: cmp dx, 0 0x12c8e: je 0x12c87 0x12c90: mov word ptr [si + 0x119], dx 0x12c94: mov cl, 8 0x12c96: ror dx, cl 0x12c98: mov word ptr [si + 0x45b], dx 0x12c9c: cmp dl, 0x1e 0x12c9f: jle 0x12ca4 0x12ca1: jmp 0x12cc3 0x12ca3: nop 0x12ca4: lea si, word ptr [bp + 0x143] 0x12ca8: lea di, word ptr [bp + 0x11b] 0x12cac: mov cx, 0x10 0x12caf: call 0x12d6a 0x12cb2: lea si, word ptr [bp + 0x153] 0x12cb6: lea di, word ptr [bp + 0x133] 0x12cba: mov cx, 6 0x12cbd: call 0x12d6a 0x12cc0: jmp 0x12cdf 0x12cc2: nop |
| 2018-12-25T12:45:04.848217888Z | 64 | PC: 12ad8 | Write file or device (Write 860 bytes on handle 5) |
| 2018-12-25T12:45:04.858332361Z | 66 | PC: 12d8d | Move file pointer |
| 2018-12-25T12:45:04.860185239Z | 64 | PC: 12d03 | Write file or device (Write 4 bytes on handle 5) |
| 2018-12-25T12:45:04.86460816Z | 87 | PC: 12d14 | Get or set file date and time |
| 2018-12-25T12:45:04.865733181Z | 62 | PC: 12d18 | Close file |
| 2018-12-25T12:45:04.876646906Z | 67 | PC: 12d27 | Get or set file attributes |
| 2018-12-25T12:45:04.887963129Z | 59 | PC: 12d2f | Change current directory |
| 2018-12-25T12:45:04.892790097Z | 26 | PC: 12d36 | Set disk transfer address |
| 2018-12-25T12:45:04.894411981Z | 37 | PC: 12d41 | Set interrupt vector (Interrupt = '36' AKA 'Set random record number') |
| 2018-12-25T12:45:04.897108693Z | 9 | PC: 12aa2 | Display string (String= 'This file is infected with the Marauder virus. 1992, Hellraiser Phalcon/Skism. ') |
{"DateBased":true,"Day":1,"Month":1,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":true,"OriginalID":15998,"SideJobID":0}
.
GIF
Syscalls:
| Time | Syscall Op | Syscall Name |
|---|---|---|
| 2018-12-25T12:45:04.199699661Z | 53 | PC: 12b3f | Get interrupt vector (Interrupt = '36' AKA 'Set random record number') |
| 2018-12-25T12:45:04.210540793Z | 37 | PC: 12b51 | Set interrupt vector (Interrupt = '36' AKA 'Set random record number') |
| 2018-12-25T12:45:04.211752941Z | 71 | PC: 12b5c | Get current directory |
| 2018-12-25T12:45:04.214572455Z | 25 | PC: 12b61 | Get default drive |
| 2018-12-25T12:45:04.215587962Z | 26 | PC: 12b88 | Set disk transfer address |
| 2018-12-25T12:45:04.217173523Z | 42 | PC: 12b8c | Get date 0x12b8c: cmp dx, 0x202 0x12b90: jne 0x12b95 0x12b92: jmp 0x12d53 0x12b95: mov ah, 0x4e 0x12b97: lea dx, word ptr [si + 0x438] 0x12b9b: mov cx, 7 0x12b9e: int 0x21 0x12ba0: jae 0x12be6 0x12ba2: mov ah, 0x1a 0x12ba4: lea dx, word ptr [si + 0x518] 0x12ba8: int 0x21 0x12baa: mov ah, 0x3b 0x12bac: lea dx, word ptr [si + 0x442] 0x12bb0: int 0x21 0x12bb2: jb 0x12bb6 0x12bb4: jmp 0x12b80 0x12bb6: cmp byte ptr [si + 0x45d], 1 0x12bbb: je 0x12bd6 0x12bbd: mov al, 1 0x12bbf: mov byte ptr [si + 0x45d], al |
| 2018-12-25T12:45:04.219202873Z | 78 | PC: 12ba0 | Find first file |
| 2018-12-25T12:45:04.225110513Z | 67 | PC: 12bf9 | Get or set file attributes |
| 2018-12-25T12:45:04.242999348Z | 61 | PC: 12da1 | Open file (Filename = 'SLEEP.COM') |
| 2018-12-25T12:45:04.249554203Z | 63 | PC: 12c20 | Read file or device (Read 4 bytes on handle 5) |
| 2018-12-25T12:45:04.256236787Z | 66 | PC: 12d97 | Move file pointer |
| 2018-12-25T12:45:04.25845393Z | 44 | PC: 12c8b | Get time 0x12c8b: cmp dx, 0 0x12c8e: je 0x12c87 0x12c90: mov word ptr [si + 0x119], dx 0x12c94: mov cl, 8 0x12c96: ror dx, cl 0x12c98: mov word ptr [si + 0x45b], dx 0x12c9c: cmp dl, 0x1e 0x12c9f: jle 0x12ca4 0x12ca1: jmp 0x12cc3 0x12ca3: nop 0x12ca4: lea si, word ptr [bp + 0x143] 0x12ca8: lea di, word ptr [bp + 0x11b] 0x12cac: mov cx, 0x10 0x12caf: call 0x12d6a 0x12cb2: lea si, word ptr [bp + 0x153] 0x12cb6: lea di, word ptr [bp + 0x133] 0x12cba: mov cx, 6 0x12cbd: call 0x12d6a 0x12cc0: jmp 0x12cdf 0x12cc2: nop |
| 2018-12-25T12:45:04.261010441Z | 64 | PC: 12ad8 | Write file or device (Write 860 bytes on handle 5) |
| 2018-12-25T12:45:04.269568447Z | 66 | PC: 12d8d | Move file pointer |
| 2018-12-25T12:45:04.272019724Z | 64 | PC: 12d03 | Write file or device (Write 4 bytes on handle 5) |
| 2018-12-25T12:45:04.289944795Z | 87 | PC: 12d14 | Get or set file date and time |
| 2018-12-25T12:45:04.291658465Z | 62 | PC: 12d18 | Close file |
| 2018-12-25T12:45:04.300968823Z | 67 | PC: 12d27 | Get or set file attributes |
| 2018-12-25T12:45:04.311079416Z | 59 | PC: 12d2f | Change current directory |
| 2018-12-25T12:45:04.31496879Z | 26 | PC: 12d36 | Set disk transfer address |
| 2018-12-25T12:45:04.316031854Z | 37 | PC: 12d41 | Set interrupt vector (Interrupt = '36' AKA 'Set random record number') |
| 2018-12-25T12:45:04.317806522Z | 9 | PC: 12aa2 | Display string (String= 'This file is infected with the Marauder virus. 1992, Hellraiser Phalcon/Skism. ') |
{"DateBased":true,"Day":1,"Month":1,"Year":1980,"Hour":0,"Min":0,"Second":1,"TimeBased":true,"OriginalID":15998,"SideJobID":0}
.
GIF
Syscalls:
| Time | Syscall Op | Syscall Name |
|---|---|---|
| 2018-12-25T12:45:04.367939598Z | 53 | PC: 12b3f | Get interrupt vector (Interrupt = '36' AKA 'Set random record number') |
| 2018-12-25T12:45:04.369484402Z | 37 | PC: 12b51 | Set interrupt vector (Interrupt = '36' AKA 'Set random record number') |
| 2018-12-25T12:45:04.37062987Z | 71 | PC: 12b5c | Get current directory |
| 2018-12-25T12:45:04.374784304Z | 25 | PC: 12b61 | Get default drive |
| 2018-12-25T12:45:04.376353776Z | 26 | PC: 12b88 | Set disk transfer address |
| 2018-12-25T12:45:04.37745996Z | 42 | PC: 12b8c | Get date 0x12b8c: cmp dx, 0x202 0x12b90: jne 0x12b95 0x12b92: jmp 0x12d53 0x12b95: mov ah, 0x4e 0x12b97: lea dx, word ptr [si + 0x438] 0x12b9b: mov cx, 7 0x12b9e: int 0x21 0x12ba0: jae 0x12be6 0x12ba2: mov ah, 0x1a 0x12ba4: lea dx, word ptr [si + 0x518] 0x12ba8: int 0x21 0x12baa: mov ah, 0x3b 0x12bac: lea dx, word ptr [si + 0x442] 0x12bb0: int 0x21 0x12bb2: jb 0x12bb6 0x12bb4: jmp 0x12b80 0x12bb6: cmp byte ptr [si + 0x45d], 1 0x12bbb: je 0x12bd6 0x12bbd: mov al, 1 0x12bbf: mov byte ptr [si + 0x45d], al |
| 2018-12-25T12:45:04.37962805Z | 78 | PC: 12ba0 | Find first file |
| 2018-12-25T12:45:04.386374828Z | 67 | PC: 12bf9 | Get or set file attributes |
| 2018-12-25T12:45:04.401354544Z | 61 | PC: 12da1 | Open file (Filename = 'SLEEP.COM') |
| 2018-12-25T12:45:04.407824397Z | 63 | PC: 12c20 | Read file or device (Read 4 bytes on handle 5) |
| 2018-12-25T12:45:04.414004179Z | 66 | PC: 12d97 | Move file pointer |
| 2018-12-25T12:45:04.416118137Z | 44 | PC: 12c8b | Get time 0x12c8b: cmp dx, 0 0x12c8e: je 0x12c87 0x12c90: mov word ptr [si + 0x119], dx 0x12c94: mov cl, 8 0x12c96: ror dx, cl 0x12c98: mov word ptr [si + 0x45b], dx 0x12c9c: cmp dl, 0x1e 0x12c9f: jle 0x12ca4 0x12ca1: jmp 0x12cc3 0x12ca3: nop 0x12ca4: lea si, word ptr [bp + 0x143] 0x12ca8: lea di, word ptr [bp + 0x11b] 0x12cac: mov cx, 0x10 0x12caf: call 0x12d6a 0x12cb2: lea si, word ptr [bp + 0x153] 0x12cb6: lea di, word ptr [bp + 0x133] 0x12cba: mov cx, 6 0x12cbd: call 0x12d6a 0x12cc0: jmp 0x12cdf 0x12cc2: nop |
| 2018-12-25T12:45:04.418514371Z | 64 | PC: 12ad8 | Write file or device (Write 860 bytes on handle 5) |
| 2018-12-25T12:45:04.427514127Z | 66 | PC: 12d8d | Move file pointer |
| 2018-12-25T12:45:04.429304925Z | 64 | PC: 12d03 | Write file or device (Write 4 bytes on handle 5) |
| 2018-12-25T12:45:04.435962956Z | 87 | PC: 12d14 | Get or set file date and time |
| 2018-12-25T12:45:04.438540728Z | 62 | PC: 12d18 | Close file |
| 2018-12-25T12:45:04.446937762Z | 67 | PC: 12d27 | Get or set file attributes |
| 2018-12-25T12:45:04.456711304Z | 59 | PC: 12d2f | Change current directory |
| 2018-12-25T12:45:04.460644281Z | 26 | PC: 12d36 | Set disk transfer address |
| 2018-12-25T12:45:04.463236163Z | 37 | PC: 12d41 | Set interrupt vector (Interrupt = '36' AKA 'Set random record number') |
| 2018-12-25T12:45:04.464720442Z | 9 | PC: 12aa2 | Display string (String= 'This file is infected with the Marauder virus. 1992, Hellraiser Phalcon/Skism. ') |
{"DateBased":true,"Day":1,"Month":1,"Year":1980,"Hour":0,"Min":0,"Second":1,"TimeBased":true,"OriginalID":15998,"SideJobID":0}
.
GIF
Syscalls:
| Time | Syscall Op | Syscall Name |
|---|---|---|
| 2018-12-25T12:45:05.337774699Z | 53 | PC: 12b3f | Get interrupt vector (Interrupt = '36' AKA 'Set random record number') |
| 2018-12-25T12:45:05.338876427Z | 37 | PC: 12b51 | Set interrupt vector (Interrupt = '36' AKA 'Set random record number') |
| 2018-12-25T12:45:05.339989501Z | 71 | PC: 12b5c | Get current directory |
| 2018-12-25T12:45:05.341897364Z | 25 | PC: 12b61 | Get default drive |
| 2018-12-25T12:45:05.342761449Z | 26 | PC: 12b88 | Set disk transfer address |
| 2018-12-25T12:45:05.343681743Z | 42 | PC: 12b8c | Get date 0x12b8c: cmp dx, 0x202 0x12b90: jne 0x12b95 0x12b92: jmp 0x12d53 0x12b95: mov ah, 0x4e 0x12b97: lea dx, word ptr [si + 0x438] 0x12b9b: mov cx, 7 0x12b9e: int 0x21 0x12ba0: jae 0x12be6 0x12ba2: mov ah, 0x1a 0x12ba4: lea dx, word ptr [si + 0x518] 0x12ba8: int 0x21 0x12baa: mov ah, 0x3b 0x12bac: lea dx, word ptr [si + 0x442] 0x12bb0: int 0x21 0x12bb2: jb 0x12bb6 0x12bb4: jmp 0x12b80 0x12bb6: cmp byte ptr [si + 0x45d], 1 0x12bbb: je 0x12bd6 0x12bbd: mov al, 1 0x12bbf: mov byte ptr [si + 0x45d], al |
| 2018-12-25T12:45:05.345237465Z | 78 | PC: 12ba0 | Find first file |
| 2018-12-25T12:45:05.349155888Z | 67 | PC: 12bf9 | Get or set file attributes |
| 2018-12-25T12:45:05.364556787Z | 61 | PC: 12da1 | Open file (Filename = 'SLEEP.COM') |
| 2018-12-25T12:45:05.371507849Z | 63 | PC: 12c20 | Read file or device (Read 4 bytes on handle 5) |
| 2018-12-25T12:45:05.378314303Z | 66 | PC: 12d97 | Move file pointer |
| 2018-12-25T12:45:05.382015528Z | 44 | PC: 12c8b | Get time 0x12c8b: cmp dx, 0 0x12c8e: je 0x12c87 0x12c90: mov word ptr [si + 0x119], dx 0x12c94: mov cl, 8 0x12c96: ror dx, cl 0x12c98: mov word ptr [si + 0x45b], dx 0x12c9c: cmp dl, 0x1e 0x12c9f: jle 0x12ca4 0x12ca1: jmp 0x12cc3 0x12ca3: nop 0x12ca4: lea si, word ptr [bp + 0x143] 0x12ca8: lea di, word ptr [bp + 0x11b] 0x12cac: mov cx, 0x10 0x12caf: call 0x12d6a 0x12cb2: lea si, word ptr [bp + 0x153] 0x12cb6: lea di, word ptr [bp + 0x133] 0x12cba: mov cx, 6 0x12cbd: call 0x12d6a 0x12cc0: jmp 0x12cdf 0x12cc2: nop |
| 2018-12-25T12:45:05.384725654Z | 64 | PC: 12ad8 | Write file or device (Write 860 bytes on handle 5) |
| 2018-12-25T12:45:05.394738934Z | 66 | PC: 12d8d | Move file pointer |
| 2018-12-25T12:45:05.396458421Z | 64 | PC: 12d03 | Write file or device (Write 4 bytes on handle 5) |
| 2018-12-25T12:45:05.40361675Z | 87 | PC: 12d14 | Get or set file date and time |
| 2018-12-25T12:45:05.405053326Z | 62 | PC: 12d18 | Close file |
| 2018-12-25T12:45:05.413879415Z | 67 | PC: 12d27 | Get or set file attributes |
| 2018-12-25T12:45:05.424895275Z | 59 | PC: 12d2f | Change current directory |
| 2018-12-25T12:45:05.429642565Z | 26 | PC: 12d36 | Set disk transfer address |
| 2018-12-25T12:45:05.432246917Z | 37 | PC: 12d41 | Set interrupt vector (Interrupt = '36' AKA 'Set random record number') |
| 2018-12-25T12:45:05.433504425Z | 9 | PC: 12aa2 | Display string (String= 'This file is infected with the Marauder virus. 1992, Hellraiser Phalcon/Skism. ') |