Sample viewer

vx.netlux.org/Virus.DOS.Spanska_II.4270

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-17T23:12:41.400821876Z	105	PC: 12aff \| Get or set media id
2018-12-17T23:12:41.402794381Z	74	PC: 12b18 \| Reallocate memory
2018-12-17T23:12:41.40550803Z	74	PC: 12b29 \| Reallocate memory
2018-12-17T23:12:41.407583343Z	72	PC: 12b39 \| Allocate memory
2018-12-17T23:12:41.409869657Z	53	PC: 12b6a \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-17T23:12:41.417054186Z	37	PC: 12b84 \| Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-17T23:12:41.418575674Z	78	PC: 12f56 \| Find first file
2018-12-17T23:12:41.428634946Z	67	PC: 12f68 \| Get or set file attributes
2018-12-17T23:12:41.435886961Z	67	PC: 12f7c \| Get or set file attributes
2018-12-17T23:12:41.777802148Z	61	PC: 12f85 \| Open file (Filename = 'C:\WINDOWS\WIN.COM')
2018-12-17T23:12:41.787059858Z	87	PC: 12f9a \| Get or set file date and time
2018-12-17T23:12:41.790313698Z	63	PC: 12fb0 \| Read file or device (Read 4 bytes on handle 5)
2018-12-17T23:12:41.795802223Z	66	PC: 12ff6 \| Move file pointer
2018-12-17T23:12:41.797118469Z	42	PC: 13554 \| Get date 0x13554: xchg ax, dx 0x13555: xor ax, 0xffff 0x13558: xor dx, dx 0x1355a: div bx 0x1355c: xchg ax, dx 0x1355d: pop cx 0x1355e: pop dx 0x1355f: pop bx 0x13560: ret 0x13561: call 0x2354c 0x13564: mov cx, bx 0x13566: mul bx 0x13568: add si, ax 0x1356a: rep movsb byte ptr es:[di], byte ptr [si] 0x1356c: ret 0x1356d: mov di, sp 0x1356f: call 0x13573 0x13572: ret 0x13573: dec di 0x13574: dec di
2018-12-17T23:12:41.799119332Z	42	PC: 13554 \| Get date 0x13554: xchg ax, dx 0x13555: xor ax, 0xffff 0x13558: xor dx, dx 0x1355a: div bx 0x1355c: xchg ax, dx 0x1355d: pop cx 0x1355e: pop dx 0x1355f: pop bx 0x13560: ret 0x13561: call 0x2354c 0x13564: mov cx, bx 0x13566: mul bx 0x13568: add si, ax 0x1356a: rep movsb byte ptr es:[di], byte ptr [si] 0x1356c: ret 0x1356d: mov di, sp 0x1356f: call 0x13573 0x13572: ret 0x13573: dec di 0x13574: dec di
2018-12-17T23:12:41.801097205Z	42	PC: 13554 \| Get date 0x13554: xchg ax, dx 0x13555: xor ax, 0xffff 0x13558: xor dx, dx 0x1355a: div bx 0x1355c: xchg ax, dx 0x1355d: pop cx 0x1355e: pop dx 0x1355f: pop bx 0x13560: ret 0x13561: call 0x2354c 0x13564: mov cx, bx 0x13566: mul bx 0x13568: add si, ax 0x1356a: rep movsb byte ptr es:[di], byte ptr [si] 0x1356c: ret 0x1356d: mov di, sp 0x1356f: call 0x13573 0x13572: ret 0x13573: dec di 0x13574: dec di
2018-12-17T23:12:41.802794535Z	42	PC: 13554 \| Get date 0x13554: xchg ax, dx 0x13555: xor ax, 0xffff 0x13558: xor dx, dx 0x1355a: div bx 0x1355c: xchg ax, dx 0x1355d: pop cx 0x1355e: pop dx 0x1355f: pop bx 0x13560: ret 0x13561: call 0x2354c 0x13564: mov cx, bx 0x13566: mul bx 0x13568: add si, ax 0x1356a: rep movsb byte ptr es:[di], byte ptr [si] 0x1356c: ret 0x1356d: mov di, sp 0x1356f: call 0x13573 0x13572: ret 0x13573: dec di 0x13574: dec di
2018-12-17T23:12:41.804485239Z	42	PC: 13554 \| Get date 0x13554: xchg ax, dx 0x13555: xor ax, 0xffff 0x13558: xor dx, dx 0x1355a: div bx 0x1355c: xchg ax, dx 0x1355d: pop cx 0x1355e: pop dx 0x1355f: pop bx 0x13560: ret 0x13561: call 0x2354c 0x13564: mov cx, bx 0x13566: mul bx 0x13568: add si, ax 0x1356a: rep movsb byte ptr es:[di], byte ptr [si] 0x1356c: ret 0x1356d: mov di, sp 0x1356f: call 0x13573 0x13572: ret 0x13573: dec di 0x13574: dec di
2018-12-17T23:12:41.806800432Z	42	PC: 13554 \| Get date 0x13554: xchg ax, dx 0x13555: xor ax, 0xffff 0x13558: xor dx, dx 0x1355a: div bx 0x1355c: xchg ax, dx 0x1355d: pop cx 0x1355e: pop dx 0x1355f: pop bx 0x13560: ret 0x13561: call 0x2354c 0x13564: mov cx, bx 0x13566: mul bx 0x13568: add si, ax 0x1356a: rep movsb byte ptr es:[di], byte ptr [si] 0x1356c: ret 0x1356d: mov di, sp 0x1356f: call 0x13573 0x13572: ret 0x13573: dec di 0x13574: dec di
2018-12-17T23:12:41.80846082Z	42	PC: 13554 \| Get date 0x13554: xchg ax, dx 0x13555: xor ax, 0xffff 0x13558: xor dx, dx 0x1355a: div bx 0x1355c: xchg ax, dx 0x1355d: pop cx 0x1355e: pop dx 0x1355f: pop bx 0x13560: ret 0x13561: call 0x2354c 0x13564: mov cx, bx 0x13566: mul bx 0x13568: add si, ax 0x1356a: rep movsb byte ptr es:[di], byte ptr [si] 0x1356c: ret 0x1356d: mov di, sp 0x1356f: call 0x13573 0x13572: ret 0x13573: dec di 0x13574: dec di
2018-12-17T23:12:41.810385907Z	42	PC: 13554 \| Get date 0x13554: xchg ax, dx 0x13555: xor ax, 0xffff 0x13558: xor dx, dx 0x1355a: div bx 0x1355c: xchg ax, dx 0x1355d: pop cx 0x1355e: pop dx 0x1355f: pop bx 0x13560: ret 0x13561: call 0x2354c 0x13564: mov cx, bx 0x13566: mul bx 0x13568: add si, ax 0x1356a: rep movsb byte ptr es:[di], byte ptr [si] 0x1356c: ret 0x1356d: mov di, sp 0x1356f: call 0x13573 0x13572: ret 0x13573: dec di 0x13574: dec di
2018-12-17T23:12:41.812775361Z	42	PC: 13554 \| Get date 0x13554: xchg ax, dx 0x13555: xor ax, 0xffff 0x13558: xor dx, dx 0x1355a: div bx 0x1355c: xchg ax, dx 0x1355d: pop cx 0x1355e: pop dx 0x1355f: pop bx 0x13560: ret 0x13561: call 0x2354c 0x13564: mov cx, bx 0x13566: mul bx 0x13568: add si, ax 0x1356a: rep movsb byte ptr es:[di], byte ptr [si] 0x1356c: ret 0x1356d: mov di, sp 0x1356f: call 0x13573 0x13572: ret 0x13573: dec di 0x13574: dec di
2018-12-17T23:12:41.814566434Z	42	PC: 13554 \| Get date 0x13554: xchg ax, dx 0x13555: xor ax, 0xffff 0x13558: xor dx, dx 0x1355a: div bx 0x1355c: xchg ax, dx 0x1355d: pop cx 0x1355e: pop dx 0x1355f: pop bx 0x13560: ret 0x13561: call 0x2354c 0x13564: mov cx, bx 0x13566: mul bx 0x13568: add si, ax 0x1356a: rep movsb byte ptr es:[di], byte ptr [si] 0x1356c: ret 0x1356d: mov di, sp 0x1356f: call 0x13573 0x13572: ret 0x13573: dec di 0x13574: dec di
2018-12-17T23:12:41.816387768Z	42	PC: 13554 \| Get date 0x13554: xchg ax, dx 0x13555: xor ax, 0xffff 0x13558: xor dx, dx 0x1355a: div bx 0x1355c: xchg ax, dx 0x1355d: pop cx 0x1355e: pop dx 0x1355f: pop bx 0x13560: ret 0x13561: call 0x2354c 0x13564: mov cx, bx 0x13566: mul bx 0x13568: add si, ax 0x1356a: rep movsb byte ptr es:[di], byte ptr [si] 0x1356c: ret 0x1356d: mov di, sp 0x1356f: call 0x13573 0x13572: ret 0x13573: dec di 0x13574: dec di
2018-12-17T23:12:41.819936877Z	42	PC: 13554 \| Get date 0x13554: xchg ax, dx 0x13555: xor ax, 0xffff 0x13558: xor dx, dx 0x1355a: div bx 0x1355c: xchg ax, dx 0x1355d: pop cx 0x1355e: pop dx 0x1355f: pop bx 0x13560: ret 0x13561: call 0x2354c 0x13564: mov cx, bx 0x13566: mul bx 0x13568: add si, ax 0x1356a: rep movsb byte ptr es:[di], byte ptr [si] 0x1356c: ret 0x1356d: mov di, sp 0x1356f: call 0x13573 0x13572: ret 0x13573: dec di 0x13574: dec di
2018-12-17T23:12:41.82243648Z	42	PC: 13554 \| Get date 0x13554: xchg ax, dx 0x13555: xor ax, 0xffff 0x13558: xor dx, dx 0x1355a: div bx 0x1355c: xchg ax, dx 0x1355d: pop cx 0x1355e: pop dx 0x1355f: pop bx 0x13560: ret 0x13561: call 0x2354c 0x13564: mov cx, bx 0x13566: mul bx 0x13568: add si, ax 0x1356a: rep movsb byte ptr es:[di], byte ptr [si] 0x1356c: ret 0x1356d: mov di, sp 0x1356f: call 0x13573 0x13572: ret 0x13573: dec di 0x13574: dec di
2018-12-17T23:12:41.824855725Z	42	PC: 13554 \| Get date 0x13554: xchg ax, dx 0x13555: xor ax, 0xffff 0x13558: xor dx, dx 0x1355a: div bx 0x1355c: xchg ax, dx 0x1355d: pop cx 0x1355e: pop dx 0x1355f: pop bx 0x13560: ret 0x13561: call 0x2354c 0x13564: mov cx, bx 0x13566: mul bx 0x13568: add si, ax 0x1356a: rep movsb byte ptr es:[di], byte ptr [si] 0x1356c: ret 0x1356d: mov di, sp 0x1356f: call 0x13573 0x13572: ret 0x13573: dec di 0x13574: dec di
2018-12-17T23:12:41.828756425Z	42	PC: 13554 \| Get date 0x13554: xchg ax, dx 0x13555: xor ax, 0xffff 0x13558: xor dx, dx 0x1355a: div bx 0x1355c: xchg ax, dx 0x1355d: pop cx 0x1355e: pop dx 0x1355f: pop bx 0x13560: ret 0x13561: call 0x2354c 0x13564: mov cx, bx 0x13566: mul bx 0x13568: add si, ax 0x1356a: rep movsb byte ptr es:[di], byte ptr [si] 0x1356c: ret 0x1356d: mov di, sp 0x1356f: call 0x13573 0x13572: ret 0x13573: dec di 0x13574: dec di
2018-12-17T23:12:41.831864543Z	42	PC: 13554 \| Get date 0x13554: xchg ax, dx 0x13555: xor ax, 0xffff 0x13558: xor dx, dx 0x1355a: div bx 0x1355c: xchg ax, dx 0x1355d: pop cx 0x1355e: pop dx 0x1355f: pop bx 0x13560: ret 0x13561: call 0x2354c 0x13564: mov cx, bx 0x13566: mul bx 0x13568: add si, ax 0x1356a: rep movsb byte ptr es:[di], byte ptr [si] 0x1356c: ret 0x1356d: mov di, sp 0x1356f: call 0x13573 0x13572: ret 0x13573: dec di 0x13574: dec di
2018-12-17T23:12:41.833971557Z	44	PC: 134e5 \| Get time 0x134e5: mov byte ptr cs:[bp + 0x11dc], dl 0x134ea: lea si, word ptr [bp + 0x1b6] 0x134ee: lea di, word ptr [bp + 0x11dd] 0x134f2: mov cx, 0x1026 0x134f5: mov al, byte ptr cs:[bp + 0x11db] 0x134fa: cmp al, 0 0x134fc: je 0x1353b 0x134fe: cmp al, 1 0x13500: je 0x13532 0x13502: cmp al, 2 0x13504: je 0x13529 0x13506: cmp al, 3 0x13508: je 0x13520 0x1350a: cmp al, 4 0x1350c: je 0x13517 0x1350e: lodsb al, byte ptr [si] 0x1350f: neg al 0x13511: stosb byte ptr es:[di], al 0x13512: loop 0x1350e 0x13514: jmp 0x13541
2018-12-17T23:12:41.837692563Z	64	PC: 13011 \| Write file or device (Write 135 bytes on handle 5)
2018-12-17T23:12:41.844862374Z	64	PC: 13025 \| Write file or device (Write 4135 bytes on handle 5)
2018-12-17T23:12:41.855276069Z	66	PC: 1303c \| Move file pointer
2018-12-17T23:12:41.857256214Z	64	PC: 13050 \| Write file or device (Write 4 bytes on handle 5)
2018-12-17T23:12:41.861480102Z	87	PC: 1306d \| Get or set file date and time
2018-12-17T23:12:41.863594317Z	62	PC: 13071 \| Close file
2018-12-17T23:12:41.87131087Z	67	PC: 13087 \| Get or set file attributes
2018-12-17T23:12:41.8765013Z	44	PC: 12ee1 \| Get time 0x12ee1: cmp cl, 0x1e 0x12ee4: jne 0x12eee 0x12ee6: cmp dh, 0xf 0x12ee9: ja 0x12eee 0x12eeb: jmp 0x13094 0x12eee: cmp byte ptr cs:[0], 0xcd 0x12ef4: je 0x12f1a 0x12ef6: mov ax, es 0x12ef8: add ax, 0x10 0x12efb: add word ptr cs:[bp + 0x5d4], ax 0x12f00: cli 0x12f01: add ax, word ptr cs:[bp + 0x5d6] 0x12f06: mov ss, ax 0x12f08: mov sp, word ptr cs:[bp + 0x5d8] 0x12f0d: sti 0x12f0e: call 0x12f35 0x12f11: ljmp 0x9090:0x9090 0x12f16: nop 0x12f17: nop 0x12f18: nop
2018-12-17T23:12:41.879120921Z	9	PC: 12a4b \| Display string (String= '------Fake host execution-----')
2018-12-17T23:12:41.881698592Z	76	PC: 12a50 \| Terminate with return code (Return code = '0')

{"DateBased":false,"Day":0,"Month":0,"Year":0,"Hour":0,"Min":0,"Second":0,"TimeBased":true,"OriginalID":17596,"SideJobID":0}

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T12:56:13.566139993Z	105	PC: 12aff \| Get or set media id
2018-12-25T12:56:13.568445759Z	74	PC: 12b18 \| Reallocate memory
2018-12-25T12:56:13.57133338Z	74	PC: 12b29 \| Reallocate memory
2018-12-25T12:56:13.57332812Z	72	PC: 12b39 \| Allocate memory
2018-12-25T12:56:13.576039097Z	53	PC: 12b6a \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T12:56:13.57885993Z	37	PC: 12b84 \| Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T12:56:13.580477372Z	78	PC: 12f56 \| Find first file
2018-12-25T12:56:13.591130184Z	67	PC: 12f68 \| Get or set file attributes
2018-12-25T12:56:13.604434662Z	67	PC: 12f7c \| Get or set file attributes
2018-12-25T12:56:13.953001503Z	61	PC: 12f85 \| Open file (Filename = 'C:\WINDOWS\WIN.COM')
2018-12-25T12:56:13.961948078Z	87	PC: 12f9a \| Get or set file date and time
2018-12-25T12:56:13.964772803Z	63	PC: 12fb0 \| Read file or device (Read 4 bytes on handle 5)
2018-12-25T12:56:13.970917142Z	66	PC: 12ff6 \| Move file pointer
2018-12-25T12:56:13.973068667Z	42	PC: 13554 \| Get date 0x13554: xchg ax, dx 0x13555: xor ax, 0xffff 0x13558: xor dx, dx 0x1355a: div bx 0x1355c: xchg ax, dx 0x1355d: pop cx 0x1355e: pop dx 0x1355f: pop bx 0x13560: ret 0x13561: call 0x2354c 0x13564: mov cx, bx 0x13566: mul bx 0x13568: add si, ax 0x1356a: rep movsb byte ptr es:[di], byte ptr [si] 0x1356c: ret 0x1356d: mov di, sp 0x1356f: call 0x13573 0x13572: ret 0x13573: dec di 0x13574: dec di
2018-12-25T12:56:13.97695738Z	42	PC: 13554 \| Get date (See above)
2018-12-25T12:56:13.979762595Z	42	PC: 13554 \| Get date (See above)
2018-12-25T12:56:13.982413365Z	42	PC: 13554 \| Get date (See above)
2018-12-25T12:56:13.984924884Z	42	PC: 13554 \| Get date (See above)
2018-12-25T12:56:13.988619073Z	42	PC: 13554 \| Get date (See above)
2018-12-25T12:56:13.991120553Z	42	PC: 13554 \| Get date (See above)
2018-12-25T12:56:13.99378904Z	42	PC: 13554 \| Get date (See above)
2018-12-25T12:56:13.9970247Z	42	PC: 13554 \| Get date (See above)
2018-12-25T12:56:13.999469786Z	42	PC: 13554 \| Get date (See above)
2018-12-25T12:56:14.001739541Z	42	PC: 13554 \| Get date (See above)
2018-12-25T12:56:14.00459117Z	42	PC: 13554 \| Get date (See above)
2018-12-25T12:56:14.007599737Z	42	PC: 13554 \| Get date (See above)
2018-12-25T12:56:14.010065433Z	42	PC: 13554 \| Get date (See above)
2018-12-25T12:56:14.013873451Z	42	PC: 13554 \| Get date (See above)
2018-12-25T12:56:14.017072336Z	42	PC: 13554 \| Get date (See above)
2018-12-25T12:56:14.020037083Z	44	PC: 134e5 \| Get time 0x134e5: mov byte ptr cs:[bp + 0x11dc], dl 0x134ea: lea si, word ptr [bp + 0x1b6] 0x134ee: lea di, word ptr [bp + 0x11dd] 0x134f2: mov cx, 0x1026 0x134f5: mov al, byte ptr cs:[bp + 0x11db] 0x134fa: cmp al, 0 0x134fc: je 0x1353b 0x134fe: cmp al, 1 0x13500: je 0x13532 0x13502: cmp al, 2 0x13504: je 0x13529 0x13506: cmp al, 3 0x13508: je 0x13520 0x1350a: cmp al, 4 0x1350c: je 0x13517 0x1350e: lodsb al, byte ptr [si] 0x1350f: neg al 0x13511: stosb byte ptr es:[di], al 0x13512: loop 0x1350e 0x13514: jmp 0x13541
2018-12-25T12:56:14.024609578Z	64	PC: 13011 \| Write file or device (Write 135 bytes on handle 5)
2018-12-25T12:56:14.032260845Z	64	PC: 13025 \| Write file or device (Write 4135 bytes on handle 5)
2018-12-25T12:56:14.044379432Z	66	PC: 1303c \| Move file pointer
2018-12-25T12:56:14.046532593Z	64	PC: 13050 \| Write file or device (Write 4 bytes on handle 5)
2018-12-25T12:56:14.050145812Z	87	PC: 1306d \| Get or set file date and time
2018-12-25T12:56:14.052843243Z	62	PC: 13071 \| Close file
2018-12-25T12:56:14.060908901Z	67	PC: 13087 \| Get or set file attributes
2018-12-25T12:56:14.066896568Z	44	PC: 12ee1 \| Get time 0x12ee1: cmp cl, 0x1e 0x12ee4: jne 0x12eee 0x12ee6: cmp dh, 0xf 0x12ee9: ja 0x12eee 0x12eeb: jmp 0x13094 0x12eee: cmp byte ptr cs:[0], 0xcd 0x12ef4: je 0x12f1a 0x12ef6: mov ax, es 0x12ef8: add ax, 0x10 0x12efb: add word ptr cs:[bp + 0x5d4], ax 0x12f00: cli 0x12f01: add ax, word ptr cs:[bp + 0x5d6] 0x12f06: mov ss, ax 0x12f08: mov sp, word ptr cs:[bp + 0x5d8] 0x12f0d: sti 0x12f0e: call 0x12f35 0x12f11: ljmp 0x9090:0x9090 0x12f16: nop 0x12f17: nop 0x12f18: nop
2018-12-25T12:56:14.069380928Z	9	PC: 12a4b \| Display string (String= '------Fake host execution-----')
2018-12-25T12:56:14.072023391Z	76	PC: 12a50 \| Terminate with return code (Return code = '0')

{"DateBased":false,"Day":0,"Month":0,"Year":0,"Hour":0,"Min":30,"Second":0,"TimeBased":true,"OriginalID":17596,"SideJobID":0}

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T12:56:14.345321699Z	105	PC: 12aff \| Get or set media id
2018-12-25T12:56:14.347597097Z	74	PC: 12b18 \| Reallocate memory
2018-12-25T12:56:14.349651084Z	74	PC: 12b29 \| Reallocate memory
2018-12-25T12:56:14.351406652Z	72	PC: 12b39 \| Allocate memory
2018-12-25T12:56:14.353429801Z	53	PC: 12b6a \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T12:56:14.355000248Z	37	PC: 12b84 \| Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T12:56:14.356576475Z	78	PC: 12f56 \| Find first file
2018-12-25T12:56:14.365386956Z	67	PC: 12f68 \| Get or set file attributes
2018-12-25T12:56:14.371665245Z	67	PC: 12f7c \| Get or set file attributes
2018-12-25T12:56:14.7542931Z	61	PC: 12f85 \| Open file (Filename = 'C:\WINDOWS\WIN.COM')
2018-12-25T12:56:14.761054817Z	87	PC: 12f9a \| Get or set file date and time
2018-12-25T12:56:14.763002082Z	63	PC: 12fb0 \| Read file or device (Read 4 bytes on handle 5)
2018-12-25T12:56:14.768695128Z	66	PC: 12ff6 \| Move file pointer
2018-12-25T12:56:14.770162432Z	42	PC: 13554 \| Get date 0x13554: xchg ax, dx 0x13555: xor ax, 0xffff 0x13558: xor dx, dx 0x1355a: div bx 0x1355c: xchg ax, dx 0x1355d: pop cx 0x1355e: pop dx 0x1355f: pop bx 0x13560: ret 0x13561: call 0x2354c 0x13564: mov cx, bx 0x13566: mul bx 0x13568: add si, ax 0x1356a: rep movsb byte ptr es:[di], byte ptr [si] 0x1356c: ret 0x1356d: mov di, sp 0x1356f: call 0x13573 0x13572: ret 0x13573: dec di 0x13574: dec di
2018-12-25T12:56:14.773995148Z	42	PC: 13554 \| Get date (See above)
2018-12-25T12:56:14.776428526Z	42	PC: 13554 \| Get date (See above)
2018-12-25T12:56:14.779012575Z	42	PC: 13554 \| Get date (See above)
2018-12-25T12:56:14.782049639Z	42	PC: 13554 \| Get date (See above)
2018-12-25T12:56:14.784245775Z	42	PC: 13554 \| Get date (See above)
2018-12-25T12:56:14.786314171Z	42	PC: 13554 \| Get date (See above)
2018-12-25T12:56:14.788634717Z	42	PC: 13554 \| Get date (See above)
2018-12-25T12:56:14.790816365Z	42	PC: 13554 \| Get date (See above)
2018-12-25T12:56:14.792874893Z	42	PC: 13554 \| Get date (See above)
2018-12-25T12:56:14.795318983Z	42	PC: 13554 \| Get date (See above)
2018-12-25T12:56:14.797763325Z	42	PC: 13554 \| Get date (See above)
2018-12-25T12:56:14.800238308Z	42	PC: 13554 \| Get date (See above)
2018-12-25T12:56:14.803141837Z	42	PC: 13554 \| Get date (See above)
2018-12-25T12:56:14.805295501Z	42	PC: 13554 \| Get date (See above)
2018-12-25T12:56:14.807313877Z	42	PC: 13554 \| Get date (See above)
2018-12-25T12:56:14.809994683Z	44	PC: 134e5 \| Get time 0x134e5: mov byte ptr cs:[bp + 0x11dc], dl 0x134ea: lea si, word ptr [bp + 0x1b6] 0x134ee: lea di, word ptr [bp + 0x11dd] 0x134f2: mov cx, 0x1026 0x134f5: mov al, byte ptr cs:[bp + 0x11db] 0x134fa: cmp al, 0 0x134fc: je 0x1353b 0x134fe: cmp al, 1 0x13500: je 0x13532 0x13502: cmp al, 2 0x13504: je 0x13529 0x13506: cmp al, 3 0x13508: je 0x13520 0x1350a: cmp al, 4 0x1350c: je 0x13517 0x1350e: lodsb al, byte ptr [si] 0x1350f: neg al 0x13511: stosb byte ptr es:[di], al 0x13512: loop 0x1350e 0x13514: jmp 0x13541
2018-12-25T12:56:14.812699431Z	64	PC: 13011 \| Write file or device (Write 135 bytes on handle 5)
2018-12-25T12:56:14.819004762Z	64	PC: 13025 \| Write file or device (Write 4135 bytes on handle 5)
2018-12-25T12:56:14.829222178Z	66	PC: 1303c \| Move file pointer
2018-12-25T12:56:14.831522635Z	64	PC: 13050 \| Write file or device (Write 4 bytes on handle 5)
2018-12-25T12:56:14.834326228Z	87	PC: 1306d \| Get or set file date and time
2018-12-25T12:56:14.835851387Z	62	PC: 13071 \| Close file
2018-12-25T12:56:14.843841407Z	67	PC: 13087 \| Get or set file attributes
2018-12-25T12:56:14.849076399Z	44	PC: 12ee1 \| Get time 0x12ee1: cmp cl, 0x1e 0x12ee4: jne 0x12eee 0x12ee6: cmp dh, 0xf 0x12ee9: ja 0x12eee 0x12eeb: jmp 0x13094 0x12eee: cmp byte ptr cs:[0], 0xcd 0x12ef4: je 0x12f1a 0x12ef6: mov ax, es 0x12ef8: add ax, 0x10 0x12efb: add word ptr cs:[bp + 0x5d4], ax 0x12f00: cli 0x12f01: add ax, word ptr cs:[bp + 0x5d6] 0x12f06: mov ss, ax 0x12f08: mov sp, word ptr cs:[bp + 0x5d8] 0x12f0d: sti 0x12f0e: call 0x12f35 0x12f11: ljmp 0x9090:0x9090 0x12f16: nop 0x12f17: nop 0x12f18: nop
2018-12-25T12:56:14.857957302Z	42	PC: 13554 \| Get date (See above)

{"DateBased":false,"Day":0,"Month":0,"Year":0,"Hour":0,"Min":30,"Second":16,"TimeBased":true,"OriginalID":17596,"SideJobID":0}

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T12:56:14.123658283Z	105	PC: 12aff \| Get or set media id
2018-12-25T12:56:14.125607486Z	74	PC: 12b18 \| Reallocate memory
2018-12-25T12:56:14.128313068Z	74	PC: 12b29 \| Reallocate memory
2018-12-25T12:56:14.130245743Z	72	PC: 12b39 \| Allocate memory
2018-12-25T12:56:14.132445826Z	53	PC: 12b6a \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T12:56:14.135254687Z	37	PC: 12b84 \| Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T12:56:14.137010494Z	78	PC: 12f56 \| Find first file
2018-12-25T12:56:14.147753904Z	67	PC: 12f68 \| Get or set file attributes
2018-12-25T12:56:14.155866281Z	67	PC: 12f7c \| Get or set file attributes
2018-12-25T12:56:14.542442277Z	61	PC: 12f85 \| Open file (Filename = 'C:\WINDOWS\WIN.COM')
2018-12-25T12:56:14.551431432Z	87	PC: 12f9a \| Get or set file date and time
2018-12-25T12:56:14.55452489Z	63	PC: 12fb0 \| Read file or device (Read 4 bytes on handle 5)
2018-12-25T12:56:14.562826828Z	66	PC: 12ff6 \| Move file pointer
2018-12-25T12:56:14.565164097Z	42	PC: 13554 \| Get date 0x13554: xchg ax, dx 0x13555: xor ax, 0xffff 0x13558: xor dx, dx 0x1355a: div bx 0x1355c: xchg ax, dx 0x1355d: pop cx 0x1355e: pop dx 0x1355f: pop bx 0x13560: ret 0x13561: call 0x2354c 0x13564: mov cx, bx 0x13566: mul bx 0x13568: add si, ax 0x1356a: rep movsb byte ptr es:[di], byte ptr [si] 0x1356c: ret 0x1356d: mov di, sp 0x1356f: call 0x13573 0x13572: ret 0x13573: dec di 0x13574: dec di
2018-12-25T12:56:14.567850596Z	42	PC: 13554 \| Get date (See above)
2018-12-25T12:56:14.570462499Z	42	PC: 13554 \| Get date (See above)
2018-12-25T12:56:14.57316457Z	42	PC: 13554 \| Get date (See above)
2018-12-25T12:56:14.575482354Z	42	PC: 13554 \| Get date (See above)
2018-12-25T12:56:14.578358697Z	42	PC: 13554 \| Get date (See above)
2018-12-25T12:56:14.580836975Z	42	PC: 13554 \| Get date (See above)
2018-12-25T12:56:14.583290272Z	42	PC: 13554 \| Get date (See above)
2018-12-25T12:56:14.586214252Z	42	PC: 13554 \| Get date (See above)
2018-12-25T12:56:14.588607649Z	42	PC: 13554 \| Get date (See above)
2018-12-25T12:56:14.590869252Z	42	PC: 13554 \| Get date (See above)
2018-12-25T12:56:14.593831235Z	42	PC: 13554 \| Get date (See above)
2018-12-25T12:56:14.596667975Z	42	PC: 13554 \| Get date (See above)
2018-12-25T12:56:14.599134835Z	42	PC: 13554 \| Get date (See above)
2018-12-25T12:56:14.602525453Z	42	PC: 13554 \| Get date (See above)
2018-12-25T12:56:14.605119092Z	42	PC: 13554 \| Get date (See above)
2018-12-25T12:56:14.607573706Z	44	PC: 134e5 \| Get time 0x134e5: mov byte ptr cs:[bp + 0x11dc], dl 0x134ea: lea si, word ptr [bp + 0x1b6] 0x134ee: lea di, word ptr [bp + 0x11dd] 0x134f2: mov cx, 0x1026 0x134f5: mov al, byte ptr cs:[bp + 0x11db] 0x134fa: cmp al, 0 0x134fc: je 0x1353b 0x134fe: cmp al, 1 0x13500: je 0x13532 0x13502: cmp al, 2 0x13504: je 0x13529 0x13506: cmp al, 3 0x13508: je 0x13520 0x1350a: cmp al, 4 0x1350c: je 0x13517 0x1350e: lodsb al, byte ptr [si] 0x1350f: neg al 0x13511: stosb byte ptr es:[di], al 0x13512: loop 0x1350e 0x13514: jmp 0x13541
2018-12-25T12:56:14.611217869Z	64	PC: 13011 \| Write file or device (Write 135 bytes on handle 5)
2018-12-25T12:56:14.618299814Z	64	PC: 13025 \| Write file or device (Write 4135 bytes on handle 5)
2018-12-25T12:56:14.636726439Z	66	PC: 1303c \| Move file pointer
2018-12-25T12:56:14.63905844Z	64	PC: 13050 \| Write file or device (Write 4 bytes on handle 5)
2018-12-25T12:56:14.643210866Z	87	PC: 1306d \| Get or set file date and time
2018-12-25T12:56:14.644431079Z	62	PC: 13071 \| Close file
2018-12-25T12:56:14.649774903Z	67	PC: 13087 \| Get or set file attributes
2018-12-25T12:56:14.655701425Z	44	PC: 12ee1 \| Get time 0x12ee1: cmp cl, 0x1e 0x12ee4: jne 0x12eee 0x12ee6: cmp dh, 0xf 0x12ee9: ja 0x12eee 0x12eeb: jmp 0x13094 0x12eee: cmp byte ptr cs:[0], 0xcd 0x12ef4: je 0x12f1a 0x12ef6: mov ax, es 0x12ef8: add ax, 0x10 0x12efb: add word ptr cs:[bp + 0x5d4], ax 0x12f00: cli 0x12f01: add ax, word ptr cs:[bp + 0x5d6] 0x12f06: mov ss, ax 0x12f08: mov sp, word ptr cs:[bp + 0x5d8] 0x12f0d: sti 0x12f0e: call 0x12f35 0x12f11: ljmp 0x9090:0x9090 0x12f16: nop 0x12f17: nop 0x12f18: nop
2018-12-25T12:56:14.658212955Z	9	PC: 12a4b \| Display string (String= '------Fake host execution-----')
2018-12-25T12:56:14.660888704Z	76	PC: 12a50 \| Terminate with return code (Return code = '0')