Sample viewer

vx.netlux.org/Virus.DOS.1stVir.3173

.

GIF

Syscalls:

Time Syscall Op Syscall Name
2018-12-17T21:51:54.84167756Z 53 PC: 149f8 | Get interrupt vector (Interrupt = '96' AKA 'Qualify filename')
2018-12-17T21:51:54.843967817Z 53 PC: 149f8 | Get interrupt vector (Interrupt = '97' AKA 'Reserved')
2018-12-17T21:51:54.845507261Z 53 PC: 149f8 | Get interrupt vector (Interrupt = '98' AKA 'Get current PSP')
2018-12-17T21:51:54.847007443Z 53 PC: 149f8 | Get interrupt vector (Interrupt = '99' AKA 'Get DBCS lead byte table pointer')
2018-12-17T21:51:54.848901556Z 53 PC: 149f8 | Get interrupt vector (Interrupt = '100' AKA 'Set wait for external event flag')
2018-12-17T21:51:54.851242215Z 53 PC: 149f8 | Get interrupt vector (Interrupt = '101' AKA 'Get extended country info')
2018-12-17T21:51:54.852737236Z 53 PC: 149f8 | Get interrupt vector (Interrupt = '102' AKA 'Get or set code page')
2018-12-17T21:51:54.854219119Z 53 PC: 149f8 | Get interrupt vector (Interrupt = '103' AKA 'Set handle count')
2018-12-17T21:51:54.856196848Z 53 PC: 149f8 | Get interrupt vector (Interrupt = '104' AKA 'Commit file')
2018-12-17T21:51:54.858474224Z 82 PC: 14a2c | Get DOS internal pointers (SYSVARS)
2018-12-17T21:51:54.860835868Z 38 PC: 14b5c | Create PSP
2018-12-17T21:51:54.863286755Z 52 PC: 9f4f5 | Get InDOS flag pointer
2018-12-17T21:51:54.865612393Z 53 PC: 9f51a | Get interrupt vector (Interrupt = '9' AKA 'Display string')
2018-12-17T21:51:54.867475528Z 53 PC: 9f529 | Get interrupt vector (Interrupt = '19' AKA 'Delete file')
2018-12-17T21:51:54.869472402Z 53 PC: 9f538 | Get interrupt vector (Interrupt = '28' AKA 'Get allocation info for specified drive')
2018-12-17T21:51:54.87160452Z 53 PC: 9f547 | Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-17T21:51:54.87276182Z 53 PC: 9f556 | Get interrupt vector (Interrupt = '40' AKA 'Random block write')
2018-12-17T21:51:54.873858258Z 37 PC: 9f568 | Set interrupt vector (Interrupt = '9' AKA 'Display string')
2018-12-17T21:51:54.875574448Z 37 PC: 9f570 | Set interrupt vector (Interrupt = '19' AKA 'Delete file')
2018-12-17T21:51:54.877017071Z 37 PC: 9f578 | Set interrupt vector (Interrupt = '28' AKA 'Get allocation info for specified drive')
2018-12-17T21:51:54.878504873Z 37 PC: 9f580 | Set interrupt vector (Interrupt = '40' AKA 'Random block write')
2018-12-17T21:51:54.879942557Z 37 PC: 9f588 | Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-17T21:51:54.881433473Z 37 PC: 9f598 | Set interrupt vector (Interrupt = '102' AKA 'Get or set code page')
2018-12-17T21:51:54.882933822Z 42 PC: 9f5d5 | Get date 0x9f5d5: cmp cx, 0x7cc
0x9f5d9: jge 0x9f5e8
0x9f5db: cmp dh, 0xb
0x9f5de: jg 0x9f5e8
0x9f5e0: cmp dl, 7
0x9f5e3: jge 0x9f5e8
0x9f5e5: jmp 0x9f5ed
0x9f5e7: nop
0x9f5e8: cmp dl, 0xd
0x9f5eb: je 0x9f5f4
0x9f5ed: mov word ptr cs:[0xbe6], 0x7fff
0x9f5f4: retf
0x9f5f5: push es
0x9f5f6: push bx
0x9f5f7: push cx
0x9f5f8: mov cl, 0xff
0x9f5fa: mov ax, 0x3560
0x9f5fd: inc cl
0x9f5ff: cmp cl, 8
0x9f602: jg 0x9f62c
2018-12-17T21:51:54.885602447Z 48 PC: 12a63 | Get DOS version
2018-12-17T21:51:54.888530693Z 9 PC: 12a7a | Display string (String= ' --=[ Selfchecking AntiStealth Goat COM/EXE file, 01/06/01 ]=------------------ (c) 1995-2001 by ROSE SWE, Dipl.-Ing. Ralph Roth - Version 1.18 - Freeware ')
2018-12-17T21:51:54.89871322Z 61 PC: 12cb7 | Open file (Filename = '')
2018-12-17T21:51:54.905360227Z 9 PC: 12a88 | Display string (String= 'Self test: ')
2018-12-17T21:51:54.916323986Z 93 PC: 12b24 | File sharing functions
2018-12-17T21:51:54.918477368Z 9 PC: 12b03 | Display string (String= 'Size change=+0C70h/03184d. Virus might be activ? ')
2018-12-17T21:51:54.92415034Z 76 PC: 12b09 | Terminate with return code (Return code = '1')

{"DateBased":true,"Day":13,"Month":1,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":186,"SideJobID":0}

.

GIF

Syscalls:

Time Syscall Op Syscall Name
2018-12-25T11:40:20.409822264Z 53 PC: 149f8 | Get interrupt vector (Interrupt = '96' AKA 'Qualify filename')
2018-12-25T11:40:20.411259081Z 53 PC: 149f8 | Get interrupt vector (See above)
2018-12-25T11:40:20.412308899Z 53 PC: 149f8 | Get interrupt vector (See above)
2018-12-25T11:40:20.413361836Z 53 PC: 149f8 | Get interrupt vector (See above)
2018-12-25T11:40:20.414913846Z 53 PC: 149f8 | Get interrupt vector (See above)
2018-12-25T11:40:20.415978117Z 53 PC: 149f8 | Get interrupt vector (See above)
2018-12-25T11:40:20.417032836Z 53 PC: 149f8 | Get interrupt vector (See above)
2018-12-25T11:40:20.418493197Z 53 PC: 149f8 | Get interrupt vector (See above)
2018-12-25T11:40:20.419651661Z 53 PC: 149f8 | Get interrupt vector (See above)
2018-12-25T11:40:20.420814251Z 82 PC: 14a2c | Get DOS internal pointers (SYSVARS)
2018-12-25T11:40:20.422434437Z 38 PC: 14b5c | Create PSP
2018-12-25T11:40:20.423743976Z 52 PC: 9f4f5 | Get InDOS flag pointer
2018-12-25T11:40:20.424762627Z 53 PC: 9f51a | Get interrupt vector (Interrupt = '9' AKA 'Display string')
2018-12-25T11:40:20.426316683Z 53 PC: 9f529 | Get interrupt vector (Interrupt = '19' AKA 'Delete file')
2018-12-25T11:40:20.427375232Z 53 PC: 9f538 | Get interrupt vector (Interrupt = '28' AKA 'Get allocation info for specified drive')
2018-12-25T11:40:20.428413877Z 53 PC: 9f547 | Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T11:40:20.430012311Z 53 PC: 9f556 | Get interrupt vector (Interrupt = '40' AKA 'Random block write')
2018-12-25T11:40:20.431677796Z 37 PC: 9f568 | Set interrupt vector (Interrupt = '9' AKA 'Display string')
2018-12-25T11:40:20.433123095Z 37 PC: 9f570 | Set interrupt vector (Interrupt = '19' AKA 'Delete file')
2018-12-25T11:40:20.434979772Z 37 PC: 9f578 | Set interrupt vector (Interrupt = '28' AKA 'Get allocation info for specified drive')
2018-12-25T11:40:20.436738028Z 37 PC: 9f580 | Set interrupt vector (Interrupt = '40' AKA 'Random block write')
2018-12-25T11:40:20.437733698Z 37 PC: 9f588 | Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T11:40:20.439353049Z 37 PC: 9f598 | Set interrupt vector (Interrupt = '102' AKA 'Get or set code page')
2018-12-25T11:40:20.440455651Z 42 PC: 9f5d5 | Get date 0x9f5d5: cmp cx, 0x7cc
0x9f5d9: jge 0x9f5e8
0x9f5db: cmp dh, 0xb
0x9f5de: jg 0x9f5e8
0x9f5e0: cmp dl, 7
0x9f5e3: jge 0x9f5e8
0x9f5e5: jmp 0x9f5ed
0x9f5e7: nop
0x9f5e8: cmp dl, 0xd
0x9f5eb: je 0x9f5f4
0x9f5ed: mov word ptr cs:[0xbe6], 0x7fff
0x9f5f4: retf
0x9f5f5: push es
0x9f5f6: push bx
0x9f5f7: push cx
0x9f5f8: mov cl, 0xff
0x9f5fa: mov ax, 0x3560
0x9f5fd: inc cl
0x9f5ff: cmp cl, 8
0x9f602: jg 0x9f62c
2018-12-25T11:40:20.442623941Z 48 PC: 12a63 | Get DOS version
2018-12-25T11:40:20.444109845Z 9 PC: 12a7a | Display string (String= ' --=[ Selfchecking AntiStealth Goat COM/EXE file, 01/06/01 ]=------------------ (c) 1995-2001 by ROSE SWE, Dipl.-Ing. Ralph Roth - Version 1.18 - Freeware ')
2018-12-25T11:40:20.453518917Z 61 PC: 12cb7 | Open file (Filename = '')
2018-12-25T11:40:20.460229375Z 9 PC: 12a88 | Display string (String= 'Self test: ')
2018-12-25T11:40:20.464957531Z 93 PC: 12b24 | File sharing functions
2018-12-25T11:40:20.466747182Z 9 PC: 12b03 | Display string (String= 'Size change=+0C70h/03184d. Virus might be activ? ')
2018-12-25T11:40:20.470585514Z 76 PC: 12b09 | Terminate with return code (Return code = '1')

{"DateBased":true,"Day":1,"Month":12,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":186,"SideJobID":0}

.

GIF

Syscalls:

Time Syscall Op Syscall Name
2018-12-25T11:40:20.603700655Z 53 PC: 149f8 | Get interrupt vector (Interrupt = '96' AKA 'Qualify filename')
2018-12-25T11:40:20.604706593Z 53 PC: 149f8 | Get interrupt vector (See above)
2018-12-25T11:40:20.605685315Z 53 PC: 149f8 | Get interrupt vector (See above)
2018-12-25T11:40:20.607125247Z 53 PC: 149f8 | Get interrupt vector (See above)
2018-12-25T11:40:20.608398961Z 53 PC: 149f8 | Get interrupt vector (See above)
2018-12-25T11:40:20.609454341Z 53 PC: 149f8 | Get interrupt vector (See above)
2018-12-25T11:40:20.61052067Z 53 PC: 149f8 | Get interrupt vector (See above)
2018-12-25T11:40:20.612200666Z 53 PC: 149f8 | Get interrupt vector (See above)
2018-12-25T11:40:20.613766324Z 53 PC: 149f8 | Get interrupt vector (See above)
2018-12-25T11:40:20.614979333Z 82 PC: 14a2c | Get DOS internal pointers (SYSVARS)
2018-12-25T11:40:20.625391841Z 38 PC: 14b5c | Create PSP
2018-12-25T11:40:20.62667838Z 52 PC: 9f4f5 | Get InDOS flag pointer
2018-12-25T11:40:20.627673457Z 53 PC: 9f51a | Get interrupt vector (Interrupt = '9' AKA 'Display string')
2018-12-25T11:40:20.629229592Z 53 PC: 9f529 | Get interrupt vector (Interrupt = '19' AKA 'Delete file')
2018-12-25T11:40:20.630658215Z 53 PC: 9f538 | Get interrupt vector (Interrupt = '28' AKA 'Get allocation info for specified drive')
2018-12-25T11:40:20.632259369Z 53 PC: 9f547 | Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T11:40:20.634093671Z 53 PC: 9f556 | Get interrupt vector (Interrupt = '40' AKA 'Random block write')
2018-12-25T11:40:20.635249344Z 37 PC: 9f568 | Set interrupt vector (Interrupt = '9' AKA 'Display string')
2018-12-25T11:40:20.636264626Z 37 PC: 9f570 | Set interrupt vector (Interrupt = '19' AKA 'Delete file')
2018-12-25T11:40:20.637849545Z 37 PC: 9f578 | Set interrupt vector (Interrupt = '28' AKA 'Get allocation info for specified drive')
2018-12-25T11:40:20.63927964Z 37 PC: 9f580 | Set interrupt vector (Interrupt = '40' AKA 'Random block write')
2018-12-25T11:40:20.640722309Z 37 PC: 9f588 | Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T11:40:20.642566081Z 37 PC: 9f598 | Set interrupt vector (Interrupt = '102' AKA 'Get or set code page')
2018-12-25T11:40:20.643677641Z 42 PC: 9f5d5 | Get date 0x9f5d5: cmp cx, 0x7cc
0x9f5d9: jge 0x9f5e8
0x9f5db: cmp dh, 0xb
0x9f5de: jg 0x9f5e8
0x9f5e0: cmp dl, 7
0x9f5e3: jge 0x9f5e8
0x9f5e5: jmp 0x9f5ed
0x9f5e7: nop
0x9f5e8: cmp dl, 0xd
0x9f5eb: je 0x9f5f4
0x9f5ed: mov word ptr cs:[0xbe6], 0x7fff
0x9f5f4: retf
0x9f5f5: push es
0x9f5f6: push bx
0x9f5f7: push cx
0x9f5f8: mov cl, 0xff
0x9f5fa: mov ax, 0x3560
0x9f5fd: inc cl
0x9f5ff: cmp cl, 8
0x9f602: jg 0x9f62c
2018-12-25T11:40:20.646834766Z 48 PC: 12a63 | Get DOS version
2018-12-25T11:40:20.648406138Z 9 PC: 12a7a | Display string (String= ' --=[ Selfchecking AntiStealth Goat COM/EXE file, 01/06/01 ]=------------------ (c) 1995-2001 by ROSE SWE, Dipl.-Ing. Ralph Roth - Version 1.18 - Freeware ')
2018-12-25T11:40:20.657535968Z 61 PC: 12cb7 | Open file (Filename = '')
2018-12-25T11:40:20.663932265Z 9 PC: 12a88 | Display string (String= 'Self test: ')
2018-12-25T11:40:20.667914294Z 93 PC: 12b24 | File sharing functions
2018-12-25T11:40:20.670015376Z 9 PC: 12b03 | Display string (String= 'Size change=+0C70h/03184d. Virus might be activ? ')
2018-12-25T11:40:20.673949426Z 76 PC: 12b09 | Terminate with return code (Return code = '1')

{"DateBased":true,"Day":13,"Month":12,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":186,"SideJobID":0}

.

GIF

Syscalls:

Time Syscall Op Syscall Name
2018-12-25T11:40:20.833150783Z 53 PC: 149f8 | Get interrupt vector (Interrupt = '96' AKA 'Qualify filename')
2018-12-25T11:40:20.834572896Z 53 PC: 149f8 | Get interrupt vector (See above)
2018-12-25T11:40:20.835759524Z 53 PC: 149f8 | Get interrupt vector (See above)
2018-12-25T11:40:20.836758532Z 53 PC: 149f8 | Get interrupt vector (See above)
2018-12-25T11:40:20.838156708Z 53 PC: 149f8 | Get interrupt vector (See above)
2018-12-25T11:40:20.839157144Z 53 PC: 149f8 | Get interrupt vector (See above)
2018-12-25T11:40:20.840083943Z 53 PC: 149f8 | Get interrupt vector (See above)
2018-12-25T11:40:20.84133256Z 53 PC: 149f8 | Get interrupt vector (See above)
2018-12-25T11:40:20.842368776Z 53 PC: 149f8 | Get interrupt vector (See above)
2018-12-25T11:40:20.843381934Z 82 PC: 14a2c | Get DOS internal pointers (SYSVARS)
2018-12-25T11:40:20.844884708Z 38 PC: 14b5c | Create PSP
2018-12-25T11:40:20.846089454Z 52 PC: 9f4f5 | Get InDOS flag pointer
2018-12-25T11:40:20.847033796Z 53 PC: 9f51a | Get interrupt vector (Interrupt = '9' AKA 'Display string')
2018-12-25T11:40:20.848829584Z 53 PC: 9f529 | Get interrupt vector (Interrupt = '19' AKA 'Delete file')
2018-12-25T11:40:20.849899664Z 53 PC: 9f538 | Get interrupt vector (Interrupt = '28' AKA 'Get allocation info for specified drive')
2018-12-25T11:40:20.850987285Z 53 PC: 9f547 | Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T11:40:20.852538557Z 53 PC: 9f556 | Get interrupt vector (Interrupt = '40' AKA 'Random block write')
2018-12-25T11:40:20.854313944Z 37 PC: 9f568 | Set interrupt vector (Interrupt = '9' AKA 'Display string')
2018-12-25T11:40:20.855323203Z 37 PC: 9f570 | Set interrupt vector (Interrupt = '19' AKA 'Delete file')
2018-12-25T11:40:20.856796349Z 37 PC: 9f578 | Set interrupt vector (Interrupt = '28' AKA 'Get allocation info for specified drive')
2018-12-25T11:40:20.857720366Z 37 PC: 9f580 | Set interrupt vector (Interrupt = '40' AKA 'Random block write')
2018-12-25T11:40:20.858611303Z 37 PC: 9f588 | Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T11:40:20.862276556Z 37 PC: 9f598 | Set interrupt vector (Interrupt = '102' AKA 'Get or set code page')
2018-12-25T11:40:20.863341008Z 42 PC: 9f5d5 | Get date 0x9f5d5: cmp cx, 0x7cc
0x9f5d9: jge 0x9f5e8
0x9f5db: cmp dh, 0xb
0x9f5de: jg 0x9f5e8
0x9f5e0: cmp dl, 7
0x9f5e3: jge 0x9f5e8
0x9f5e5: jmp 0x9f5ed
0x9f5e7: nop
0x9f5e8: cmp dl, 0xd
0x9f5eb: je 0x9f5f4
0x9f5ed: mov word ptr cs:[0xbe6], 0x7fff
0x9f5f4: retf
0x9f5f5: push es
0x9f5f6: push bx
0x9f5f7: push cx
0x9f5f8: mov cl, 0xff
0x9f5fa: mov ax, 0x3560
0x9f5fd: inc cl
0x9f5ff: cmp cl, 8
0x9f602: jg 0x9f62c
2018-12-25T11:40:20.865483683Z 48 PC: 12a63 | Get DOS version
2018-12-25T11:40:20.866834696Z 9 PC: 12a7a | Display string (String= ' --=[ Selfchecking AntiStealth Goat COM/EXE file, 01/06/01 ]=------------------ (c) 1995-2001 by ROSE SWE, Dipl.-Ing. Ralph Roth - Version 1.18 - Freeware ')
2018-12-25T11:40:20.871695412Z 61 PC: 12cb7 | Open file (Filename = '')
2018-12-25T11:40:20.875678845Z 9 PC: 12a88 | Display string (String= 'Self test: ')
2018-12-25T11:40:20.87837602Z 93 PC: 12b24 | File sharing functions
2018-12-25T11:40:20.879579666Z 9 PC: 12b03 | Display string (String= 'Size change=+0C70h/03184d. Virus might be activ? ')
2018-12-25T11:40:20.882087166Z 76 PC: 12b09 | Terminate with return code (Return code = '1')

{"DateBased":true,"Day":1,"Month":1,"Year":1996,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":186,"SideJobID":0}

.

GIF

Syscalls:

Time Syscall Op Syscall Name
2018-12-25T11:40:21.026387784Z 53 PC: 149f8 | Get interrupt vector (Interrupt = '96' AKA 'Qualify filename')
2018-12-25T11:40:21.027750217Z 53 PC: 149f8 | Get interrupt vector (See above)
2018-12-25T11:40:21.028648172Z 53 PC: 149f8 | Get interrupt vector (See above)
2018-12-25T11:40:21.029435563Z 53 PC: 149f8 | Get interrupt vector (See above)
2018-12-25T11:40:21.030767777Z 53 PC: 149f8 | Get interrupt vector (See above)
2018-12-25T11:40:21.031658205Z 53 PC: 149f8 | Get interrupt vector (See above)
2018-12-25T11:40:21.032447618Z 53 PC: 149f8 | Get interrupt vector (See above)
2018-12-25T11:40:21.033668646Z 53 PC: 149f8 | Get interrupt vector (See above)
2018-12-25T11:40:21.034691015Z 53 PC: 149f8 | Get interrupt vector (See above)
2018-12-25T11:40:21.035712261Z 82 PC: 14a2c | Get DOS internal pointers (SYSVARS)
2018-12-25T11:40:21.03759218Z 38 PC: 14b5c | Create PSP
2018-12-25T11:40:21.038865109Z 52 PC: 9f4f5 | Get InDOS flag pointer
2018-12-25T11:40:21.039813644Z 53 PC: 9f51a | Get interrupt vector (Interrupt = '9' AKA 'Display string')
2018-12-25T11:40:21.041221917Z 53 PC: 9f529 | Get interrupt vector (Interrupt = '19' AKA 'Delete file')
2018-12-25T11:40:21.042289218Z 53 PC: 9f538 | Get interrupt vector (Interrupt = '28' AKA 'Get allocation info for specified drive')
2018-12-25T11:40:21.043302046Z 53 PC: 9f547 | Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T11:40:21.044727691Z 53 PC: 9f556 | Get interrupt vector (Interrupt = '40' AKA 'Random block write')
2018-12-25T11:40:21.045827638Z 37 PC: 9f568 | Set interrupt vector (Interrupt = '9' AKA 'Display string')
2018-12-25T11:40:21.046672724Z 37 PC: 9f570 | Set interrupt vector (Interrupt = '19' AKA 'Delete file')
2018-12-25T11:40:21.047914957Z 37 PC: 9f578 | Set interrupt vector (Interrupt = '28' AKA 'Get allocation info for specified drive')
2018-12-25T11:40:21.048987282Z 37 PC: 9f580 | Set interrupt vector (Interrupt = '40' AKA 'Random block write')
2018-12-25T11:40:21.049929643Z 37 PC: 9f588 | Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T11:40:21.051378894Z 37 PC: 9f598 | Set interrupt vector (Interrupt = '102' AKA 'Get or set code page')
2018-12-25T11:40:21.052688826Z 42 PC: 9f5d5 | Get date 0x9f5d5: cmp cx, 0x7cc
0x9f5d9: jge 0x9f5e8
0x9f5db: cmp dh, 0xb
0x9f5de: jg 0x9f5e8
0x9f5e0: cmp dl, 7
0x9f5e3: jge 0x9f5e8
0x9f5e5: jmp 0x9f5ed
0x9f5e7: nop
0x9f5e8: cmp dl, 0xd
0x9f5eb: je 0x9f5f4
0x9f5ed: mov word ptr cs:[0xbe6], 0x7fff
0x9f5f4: retf
0x9f5f5: push es
0x9f5f6: push bx
0x9f5f7: push cx
0x9f5f8: mov cl, 0xff
0x9f5fa: mov ax, 0x3560
0x9f5fd: inc cl
0x9f5ff: cmp cl, 8
0x9f602: jg 0x9f62c
2018-12-25T11:40:21.055017811Z 48 PC: 12a63 | Get DOS version
2018-12-25T11:40:21.056603565Z 9 PC: 12a7a | Display string (String= ' --=[ Selfchecking AntiStealth Goat COM/EXE file, 01/06/01 ]=------------------ (c) 1995-2001 by ROSE SWE, Dipl.-Ing. Ralph Roth - Version 1.18 - Freeware ')
2018-12-25T11:40:21.066557451Z 61 PC: 12cb7 | Open file (Filename = '')
2018-12-25T11:40:21.073353376Z 9 PC: 12a88 | Display string (String= 'Self test: ')
2018-12-25T11:40:21.07728164Z 93 PC: 12b24 | File sharing functions
2018-12-25T11:40:21.079195465Z 9 PC: 12b03 | Display string (String= 'Size change=+0C70h/03184d. Virus might be activ? ')
2018-12-25T11:40:21.083136466Z 76 PC: 12b09 | Terminate with return code (Return code = '1')

{"DateBased":true,"Day":13,"Month":1,"Year":1996,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":186,"SideJobID":0}

.

GIF

Syscalls:

Time Syscall Op Syscall Name
2018-12-25T11:40:21.23201108Z 53 PC: 149f8 | Get interrupt vector (Interrupt = '96' AKA 'Qualify filename')
2018-12-25T11:40:21.233117573Z 53 PC: 149f8 | Get interrupt vector (See above)
2018-12-25T11:40:21.233849272Z 53 PC: 149f8 | Get interrupt vector (See above)
2018-12-25T11:40:21.234651267Z 53 PC: 149f8 | Get interrupt vector (See above)
2018-12-25T11:40:21.235960398Z 53 PC: 149f8 | Get interrupt vector (See above)
2018-12-25T11:40:21.236892648Z 53 PC: 149f8 | Get interrupt vector (See above)
2018-12-25T11:40:21.237786006Z 53 PC: 149f8 | Get interrupt vector (See above)
2018-12-25T11:40:21.238973094Z 53 PC: 149f8 | Get interrupt vector (See above)
2018-12-25T11:40:21.240064969Z 53 PC: 149f8 | Get interrupt vector (See above)
2018-12-25T11:40:21.241125029Z 82 PC: 14a2c | Get DOS internal pointers (SYSVARS)
2018-12-25T11:40:21.24263282Z 38 PC: 14b5c | Create PSP
2018-12-25T11:40:21.244116898Z 52 PC: 9f4f5 | Get InDOS flag pointer
2018-12-25T11:40:21.245143849Z 53 PC: 9f51a | Get interrupt vector (Interrupt = '9' AKA 'Display string')
2018-12-25T11:40:21.246734321Z 53 PC: 9f529 | Get interrupt vector (Interrupt = '19' AKA 'Delete file')
2018-12-25T11:40:21.248052394Z 53 PC: 9f538 | Get interrupt vector (Interrupt = '28' AKA 'Get allocation info for specified drive')
2018-12-25T11:40:21.249247018Z 53 PC: 9f547 | Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T11:40:21.251252897Z 53 PC: 9f556 | Get interrupt vector (Interrupt = '40' AKA 'Random block write')
2018-12-25T11:40:21.252395455Z 37 PC: 9f568 | Set interrupt vector (Interrupt = '9' AKA 'Display string')
2018-12-25T11:40:21.253350077Z 37 PC: 9f570 | Set interrupt vector (Interrupt = '19' AKA 'Delete file')
2018-12-25T11:40:21.254790728Z 37 PC: 9f578 | Set interrupt vector (Interrupt = '28' AKA 'Get allocation info for specified drive')
2018-12-25T11:40:21.255744584Z 37 PC: 9f580 | Set interrupt vector (Interrupt = '40' AKA 'Random block write')
2018-12-25T11:40:21.257520155Z 37 PC: 9f588 | Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T11:40:21.258924377Z 37 PC: 9f598 | Set interrupt vector (Interrupt = '102' AKA 'Get or set code page')
2018-12-25T11:40:21.259999607Z 42 PC: 9f5d5 | Get date 0x9f5d5: cmp cx, 0x7cc
0x9f5d9: jge 0x9f5e8
0x9f5db: cmp dh, 0xb
0x9f5de: jg 0x9f5e8
0x9f5e0: cmp dl, 7
0x9f5e3: jge 0x9f5e8
0x9f5e5: jmp 0x9f5ed
0x9f5e7: nop
0x9f5e8: cmp dl, 0xd
0x9f5eb: je 0x9f5f4
0x9f5ed: mov word ptr cs:[0xbe6], 0x7fff
0x9f5f4: retf
0x9f5f5: push es
0x9f5f6: push bx
0x9f5f7: push cx
0x9f5f8: mov cl, 0xff
0x9f5fa: mov ax, 0x3560
0x9f5fd: inc cl
0x9f5ff: cmp cl, 8
0x9f602: jg 0x9f62c
2018-12-25T11:40:21.262203558Z 48 PC: 12a63 | Get DOS version
2018-12-25T11:40:21.263817881Z 9 PC: 12a7a | Display string (String= ' --=[ Selfchecking AntiStealth Goat COM/EXE file, 01/06/01 ]=------------------ (c) 1995-2001 by ROSE SWE, Dipl.-Ing. Ralph Roth - Version 1.18 - Freeware ')
2018-12-25T11:40:21.272901909Z 61 PC: 12cb7 | Open file (Filename = '')
2018-12-25T11:40:21.279255069Z 9 PC: 12a88 | Display string (String= 'Self test: ')
2018-12-25T11:40:21.283142256Z 93 PC: 12b24 | File sharing functions
2018-12-25T11:40:21.285046891Z 9 PC: 12b03 | Display string (String= 'Size change=+0C70h/03184d. Virus might be activ? ')
2018-12-25T11:40:21.288910159Z 76 PC: 12b09 | Terminate with return code (Return code = '1')

{"DateBased":true,"Day":1,"Month":1,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":186,"SideJobID":0}

.

GIF

Syscalls:

Time Syscall Op Syscall Name
2018-12-25T11:40:21.429720245Z 53 PC: 149f8 | Get interrupt vector (Interrupt = '96' AKA 'Qualify filename')
2018-12-25T11:40:21.431133796Z 53 PC: 149f8 | Get interrupt vector (See above)
2018-12-25T11:40:21.431901667Z 53 PC: 149f8 | Get interrupt vector (See above)
2018-12-25T11:40:21.432625401Z 53 PC: 149f8 | Get interrupt vector (See above)
2018-12-25T11:40:21.433801084Z 53 PC: 149f8 | Get interrupt vector (See above)
2018-12-25T11:40:21.434768488Z 53 PC: 149f8 | Get interrupt vector (See above)
2018-12-25T11:40:21.435696039Z 53 PC: 149f8 | Get interrupt vector (See above)
2018-12-25T11:40:21.437023857Z 53 PC: 149f8 | Get interrupt vector (See above)
2018-12-25T11:40:21.437884743Z 53 PC: 149f8 | Get interrupt vector (See above)
2018-12-25T11:40:21.438680639Z 82 PC: 14a2c | Get DOS internal pointers (SYSVARS)
2018-12-25T11:40:21.440205327Z 38 PC: 14b5c | Create PSP
2018-12-25T11:40:21.441441771Z 52 PC: 9f4f5 | Get InDOS flag pointer
2018-12-25T11:40:21.442354294Z 53 PC: 9f51a | Get interrupt vector (Interrupt = '9' AKA 'Display string')
2018-12-25T11:40:21.443628636Z 53 PC: 9f529 | Get interrupt vector (Interrupt = '19' AKA 'Delete file')
2018-12-25T11:40:21.444608287Z 53 PC: 9f538 | Get interrupt vector (Interrupt = '28' AKA 'Get allocation info for specified drive')
2018-12-25T11:40:21.445532713Z 53 PC: 9f547 | Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T11:40:21.44711275Z 53 PC: 9f556 | Get interrupt vector (Interrupt = '40' AKA 'Random block write')
2018-12-25T11:40:21.448050193Z 37 PC: 9f568 | Set interrupt vector (Interrupt = '9' AKA 'Display string')
2018-12-25T11:40:21.448822207Z 37 PC: 9f570 | Set interrupt vector (Interrupt = '19' AKA 'Delete file')
2018-12-25T11:40:21.450087011Z 37 PC: 9f578 | Set interrupt vector (Interrupt = '28' AKA 'Get allocation info for specified drive')
2018-12-25T11:40:21.450982236Z 37 PC: 9f580 | Set interrupt vector (Interrupt = '40' AKA 'Random block write')
2018-12-25T11:40:21.452614658Z 37 PC: 9f588 | Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T11:40:21.453787819Z 37 PC: 9f598 | Set interrupt vector (Interrupt = '102' AKA 'Get or set code page')
2018-12-25T11:40:21.454776183Z 42 PC: 9f5d5 | Get date 0x9f5d5: cmp cx, 0x7cc
0x9f5d9: jge 0x9f5e8
0x9f5db: cmp dh, 0xb
0x9f5de: jg 0x9f5e8
0x9f5e0: cmp dl, 7
0x9f5e3: jge 0x9f5e8
0x9f5e5: jmp 0x9f5ed
0x9f5e7: nop
0x9f5e8: cmp dl, 0xd
0x9f5eb: je 0x9f5f4
0x9f5ed: mov word ptr cs:[0xbe6], 0x7fff
0x9f5f4: retf
0x9f5f5: push es
0x9f5f6: push bx
0x9f5f7: push cx
0x9f5f8: mov cl, 0xff
0x9f5fa: mov ax, 0x3560
0x9f5fd: inc cl
0x9f5ff: cmp cl, 8
0x9f602: jg 0x9f62c
2018-12-25T11:40:21.456880453Z 48 PC: 12a63 | Get DOS version
2018-12-25T11:40:21.458390516Z 9 PC: 12a7a | Display string (String= ' --=[ Selfchecking AntiStealth Goat COM/EXE file, 01/06/01 ]=------------------ (c) 1995-2001 by ROSE SWE, Dipl.-Ing. Ralph Roth - Version 1.18 - Freeware ')
2018-12-25T11:40:21.467485004Z 61 PC: 12cb7 | Open file (Filename = '')
2018-12-25T11:40:21.473762303Z 9 PC: 12a88 | Display string (String= 'Self test: ')
2018-12-25T11:40:21.490316571Z 93 PC: 12b24 | File sharing functions
2018-12-25T11:40:21.49204527Z 9 PC: 12b03 | Display string (String= 'Size change=+0C70h/03184d. Virus might be activ? ')
2018-12-25T11:40:21.495904492Z 76 PC: 12b09 | Terminate with return code (Return code = '1')

{"DateBased":true,"Day":7,"Month":1,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":186,"SideJobID":0}

.

GIF

Syscalls:

Time Syscall Op Syscall Name
2018-12-25T11:40:21.510961595Z 53 PC: 149f8 | Get interrupt vector (Interrupt = '96' AKA 'Qualify filename')
2018-12-25T11:40:21.513698102Z 53 PC: 149f8 | Get interrupt vector (See above)
2018-12-25T11:40:21.515345677Z 53 PC: 149f8 | Get interrupt vector (See above)
2018-12-25T11:40:21.517102229Z 53 PC: 149f8 | Get interrupt vector (See above)
2018-12-25T11:40:21.519254692Z 53 PC: 149f8 | Get interrupt vector (See above)
2018-12-25T11:40:21.520542871Z 53 PC: 149f8 | Get interrupt vector (See above)
2018-12-25T11:40:21.521699103Z 53 PC: 149f8 | Get interrupt vector (See above)
2018-12-25T11:40:21.522875091Z 53 PC: 149f8 | Get interrupt vector (See above)
2018-12-25T11:40:21.52453559Z 53 PC: 149f8 | Get interrupt vector (See above)
2018-12-25T11:40:21.526193942Z 82 PC: 14a2c | Get DOS internal pointers (SYSVARS)
2018-12-25T11:40:21.527532136Z 38 PC: 14b5c | Create PSP
2018-12-25T11:40:21.544623887Z 52 PC: 9f4f5 | Get InDOS flag pointer
2018-12-25T11:40:21.545975127Z 53 PC: 9f51a | Get interrupt vector (Interrupt = '9' AKA 'Display string')
2018-12-25T11:40:21.549809384Z 53 PC: 9f529 | Get interrupt vector (Interrupt = '19' AKA 'Delete file')
2018-12-25T11:40:21.551470159Z 53 PC: 9f538 | Get interrupt vector (Interrupt = '28' AKA 'Get allocation info for specified drive')
2018-12-25T11:40:21.55251591Z 53 PC: 9f547 | Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T11:40:21.553680649Z 53 PC: 9f556 | Get interrupt vector (Interrupt = '40' AKA 'Random block write')
2018-12-25T11:40:21.555681058Z 37 PC: 9f568 | Set interrupt vector (Interrupt = '9' AKA 'Display string')
2018-12-25T11:40:21.557113803Z 37 PC: 9f570 | Set interrupt vector (Interrupt = '19' AKA 'Delete file')
2018-12-25T11:40:21.558471324Z 37 PC: 9f578 | Set interrupt vector (Interrupt = '28' AKA 'Get allocation info for specified drive')
2018-12-25T11:40:21.560307186Z 37 PC: 9f580 | Set interrupt vector (Interrupt = '40' AKA 'Random block write')
2018-12-25T11:40:21.562364911Z 37 PC: 9f588 | Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T11:40:21.564467551Z 37 PC: 9f598 | Set interrupt vector (Interrupt = '102' AKA 'Get or set code page')
2018-12-25T11:40:21.566557236Z 42 PC: 9f5d5 | Get date 0x9f5d5: cmp cx, 0x7cc
0x9f5d9: jge 0x9f5e8
0x9f5db: cmp dh, 0xb
0x9f5de: jg 0x9f5e8
0x9f5e0: cmp dl, 7
0x9f5e3: jge 0x9f5e8
0x9f5e5: jmp 0x9f5ed
0x9f5e7: nop
0x9f5e8: cmp dl, 0xd
0x9f5eb: je 0x9f5f4
0x9f5ed: mov word ptr cs:[0xbe6], 0x7fff
0x9f5f4: retf
0x9f5f5: push es
0x9f5f6: push bx
0x9f5f7: push cx
0x9f5f8: mov cl, 0xff
0x9f5fa: mov ax, 0x3560
0x9f5fd: inc cl
0x9f5ff: cmp cl, 8
0x9f602: jg 0x9f62c
2018-12-25T11:40:21.570159342Z 48 PC: 12a63 | Get DOS version
2018-12-25T11:40:21.572585989Z 9 PC: 12a7a | Display string (String= ' --=[ Selfchecking AntiStealth Goat COM/EXE file, 01/06/01 ]=------------------ (c) 1995-2001 by ROSE SWE, Dipl.-Ing. Ralph Roth - Version 1.18 - Freeware ')
2018-12-25T11:40:21.583864417Z 61 PC: 12cb7 | Open file (Filename = '')
2018-12-25T11:40:21.592581823Z 9 PC: 12a88 | Display string (String= 'Self test: ')
2018-12-25T11:40:21.597208737Z 93 PC: 12b24 | File sharing functions
2018-12-25T11:40:21.60165819Z 9 PC: 12b03 | Display string (String= 'Size change=+0C70h/03184d. Virus might be activ? ')
2018-12-25T11:40:21.607544871Z 76 PC: 12b09 | Terminate with return code (Return code = '1')