Sample viewer

vx.netlux.org/Virus.DOS.Spanska_II.4250

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-17T22:16:42.282509533Z	105	PC: 12aff \| Get or set media id
2018-12-17T22:16:42.284509052Z	74	PC: 12b18 \| Reallocate memory
2018-12-17T22:16:42.286072329Z	74	PC: 12b29 \| Reallocate memory
2018-12-17T22:16:42.287321055Z	72	PC: 12b39 \| Allocate memory
2018-12-17T22:16:42.289636082Z	53	PC: 12b6a \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-17T22:16:42.291819166Z	37	PC: 12b84 \| Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-17T22:16:42.292887654Z	78	PC: 12f53 \| Find first file
2018-12-17T22:16:42.30041416Z	67	PC: 12f65 \| Get or set file attributes
2018-12-17T22:16:42.306928361Z	67	PC: 12f79 \| Get or set file attributes
2018-12-17T22:16:42.860645125Z	61	PC: 12f82 \| Open file (Filename = 'C:\WINDOWS\WIN.COM')
2018-12-17T22:16:42.868293777Z	87	PC: 12f97 \| Get or set file date and time
2018-12-17T22:16:42.870086972Z	63	PC: 12fad \| Read file or device (Read 4 bytes on handle 5)
2018-12-17T22:16:42.87630189Z	66	PC: 12ff3 \| Move file pointer
2018-12-17T22:16:42.878728905Z	42	PC: 13544 \| Get date 0x13544: xchg ax, dx 0x13545: xor ax, 0xffff 0x13548: xor dx, dx 0x1354a: div bx 0x1354c: xchg ax, dx 0x1354d: pop cx 0x1354e: pop dx 0x1354f: pop bx 0x13550: ret 0x13551: call 0x2353c 0x13554: mov cx, bx 0x13556: mul bx 0x13558: add si, ax 0x1355a: rep movsb byte ptr es:[di], byte ptr [si] 0x1355c: ret 0x1355d: mov di, sp 0x1355f: call 0x13563 0x13562: ret 0x13563: dec di 0x13564: dec di
2018-12-17T22:16:42.881258775Z	42	PC: 13544 \| Get date 0x13544: xchg ax, dx 0x13545: xor ax, 0xffff 0x13548: xor dx, dx 0x1354a: div bx 0x1354c: xchg ax, dx 0x1354d: pop cx 0x1354e: pop dx 0x1354f: pop bx 0x13550: ret 0x13551: call 0x2353c 0x13554: mov cx, bx 0x13556: mul bx 0x13558: add si, ax 0x1355a: rep movsb byte ptr es:[di], byte ptr [si] 0x1355c: ret 0x1355d: mov di, sp 0x1355f: call 0x13563 0x13562: ret 0x13563: dec di 0x13564: dec di
2018-12-17T22:16:42.883888739Z	42	PC: 13544 \| Get date 0x13544: xchg ax, dx 0x13545: xor ax, 0xffff 0x13548: xor dx, dx 0x1354a: div bx 0x1354c: xchg ax, dx 0x1354d: pop cx 0x1354e: pop dx 0x1354f: pop bx 0x13550: ret 0x13551: call 0x2353c 0x13554: mov cx, bx 0x13556: mul bx 0x13558: add si, ax 0x1355a: rep movsb byte ptr es:[di], byte ptr [si] 0x1355c: ret 0x1355d: mov di, sp 0x1355f: call 0x13563 0x13562: ret 0x13563: dec di 0x13564: dec di
2018-12-17T22:16:42.887065948Z	42	PC: 13544 \| Get date 0x13544: xchg ax, dx 0x13545: xor ax, 0xffff 0x13548: xor dx, dx 0x1354a: div bx 0x1354c: xchg ax, dx 0x1354d: pop cx 0x1354e: pop dx 0x1354f: pop bx 0x13550: ret 0x13551: call 0x2353c 0x13554: mov cx, bx 0x13556: mul bx 0x13558: add si, ax 0x1355a: rep movsb byte ptr es:[di], byte ptr [si] 0x1355c: ret 0x1355d: mov di, sp 0x1355f: call 0x13563 0x13562: ret 0x13563: dec di 0x13564: dec di
2018-12-17T22:16:42.890036927Z	42	PC: 13544 \| Get date 0x13544: xchg ax, dx 0x13545: xor ax, 0xffff 0x13548: xor dx, dx 0x1354a: div bx 0x1354c: xchg ax, dx 0x1354d: pop cx 0x1354e: pop dx 0x1354f: pop bx 0x13550: ret 0x13551: call 0x2353c 0x13554: mov cx, bx 0x13556: mul bx 0x13558: add si, ax 0x1355a: rep movsb byte ptr es:[di], byte ptr [si] 0x1355c: ret 0x1355d: mov di, sp 0x1355f: call 0x13563 0x13562: ret 0x13563: dec di 0x13564: dec di
2018-12-17T22:16:42.892287357Z	42	PC: 13544 \| Get date 0x13544: xchg ax, dx 0x13545: xor ax, 0xffff 0x13548: xor dx, dx 0x1354a: div bx 0x1354c: xchg ax, dx 0x1354d: pop cx 0x1354e: pop dx 0x1354f: pop bx 0x13550: ret 0x13551: call 0x2353c 0x13554: mov cx, bx 0x13556: mul bx 0x13558: add si, ax 0x1355a: rep movsb byte ptr es:[di], byte ptr [si] 0x1355c: ret 0x1355d: mov di, sp 0x1355f: call 0x13563 0x13562: ret 0x13563: dec di 0x13564: dec di
2018-12-17T22:16:42.894600662Z	42	PC: 13544 \| Get date 0x13544: xchg ax, dx 0x13545: xor ax, 0xffff 0x13548: xor dx, dx 0x1354a: div bx 0x1354c: xchg ax, dx 0x1354d: pop cx 0x1354e: pop dx 0x1354f: pop bx 0x13550: ret 0x13551: call 0x2353c 0x13554: mov cx, bx 0x13556: mul bx 0x13558: add si, ax 0x1355a: rep movsb byte ptr es:[di], byte ptr [si] 0x1355c: ret 0x1355d: mov di, sp 0x1355f: call 0x13563 0x13562: ret 0x13563: dec di 0x13564: dec di
2018-12-17T22:16:42.896981797Z	42	PC: 13544 \| Get date 0x13544: xchg ax, dx 0x13545: xor ax, 0xffff 0x13548: xor dx, dx 0x1354a: div bx 0x1354c: xchg ax, dx 0x1354d: pop cx 0x1354e: pop dx 0x1354f: pop bx 0x13550: ret 0x13551: call 0x2353c 0x13554: mov cx, bx 0x13556: mul bx 0x13558: add si, ax 0x1355a: rep movsb byte ptr es:[di], byte ptr [si] 0x1355c: ret 0x1355d: mov di, sp 0x1355f: call 0x13563 0x13562: ret 0x13563: dec di 0x13564: dec di
2018-12-17T22:16:42.89903998Z	42	PC: 13544 \| Get date 0x13544: xchg ax, dx 0x13545: xor ax, 0xffff 0x13548: xor dx, dx 0x1354a: div bx 0x1354c: xchg ax, dx 0x1354d: pop cx 0x1354e: pop dx 0x1354f: pop bx 0x13550: ret 0x13551: call 0x2353c 0x13554: mov cx, bx 0x13556: mul bx 0x13558: add si, ax 0x1355a: rep movsb byte ptr es:[di], byte ptr [si] 0x1355c: ret 0x1355d: mov di, sp 0x1355f: call 0x13563 0x13562: ret 0x13563: dec di 0x13564: dec di
2018-12-17T22:16:42.901293782Z	42	PC: 13544 \| Get date 0x13544: xchg ax, dx 0x13545: xor ax, 0xffff 0x13548: xor dx, dx 0x1354a: div bx 0x1354c: xchg ax, dx 0x1354d: pop cx 0x1354e: pop dx 0x1354f: pop bx 0x13550: ret 0x13551: call 0x2353c 0x13554: mov cx, bx 0x13556: mul bx 0x13558: add si, ax 0x1355a: rep movsb byte ptr es:[di], byte ptr [si] 0x1355c: ret 0x1355d: mov di, sp 0x1355f: call 0x13563 0x13562: ret 0x13563: dec di 0x13564: dec di
2018-12-17T22:16:42.904167958Z	42	PC: 13544 \| Get date 0x13544: xchg ax, dx 0x13545: xor ax, 0xffff 0x13548: xor dx, dx 0x1354a: div bx 0x1354c: xchg ax, dx 0x1354d: pop cx 0x1354e: pop dx 0x1354f: pop bx 0x13550: ret 0x13551: call 0x2353c 0x13554: mov cx, bx 0x13556: mul bx 0x13558: add si, ax 0x1355a: rep movsb byte ptr es:[di], byte ptr [si] 0x1355c: ret 0x1355d: mov di, sp 0x1355f: call 0x13563 0x13562: ret 0x13563: dec di 0x13564: dec di
2018-12-17T22:16:42.906728788Z	42	PC: 13544 \| Get date 0x13544: xchg ax, dx 0x13545: xor ax, 0xffff 0x13548: xor dx, dx 0x1354a: div bx 0x1354c: xchg ax, dx 0x1354d: pop cx 0x1354e: pop dx 0x1354f: pop bx 0x13550: ret 0x13551: call 0x2353c 0x13554: mov cx, bx 0x13556: mul bx 0x13558: add si, ax 0x1355a: rep movsb byte ptr es:[di], byte ptr [si] 0x1355c: ret 0x1355d: mov di, sp 0x1355f: call 0x13563 0x13562: ret 0x13563: dec di 0x13564: dec di
2018-12-17T22:16:42.909301896Z	42	PC: 13544 \| Get date 0x13544: xchg ax, dx 0x13545: xor ax, 0xffff 0x13548: xor dx, dx 0x1354a: div bx 0x1354c: xchg ax, dx 0x1354d: pop cx 0x1354e: pop dx 0x1354f: pop bx 0x13550: ret 0x13551: call 0x2353c 0x13554: mov cx, bx 0x13556: mul bx 0x13558: add si, ax 0x1355a: rep movsb byte ptr es:[di], byte ptr [si] 0x1355c: ret 0x1355d: mov di, sp 0x1355f: call 0x13563 0x13562: ret 0x13563: dec di 0x13564: dec di
2018-12-17T22:16:42.912075878Z	42	PC: 13544 \| Get date 0x13544: xchg ax, dx 0x13545: xor ax, 0xffff 0x13548: xor dx, dx 0x1354a: div bx 0x1354c: xchg ax, dx 0x1354d: pop cx 0x1354e: pop dx 0x1354f: pop bx 0x13550: ret 0x13551: call 0x2353c 0x13554: mov cx, bx 0x13556: mul bx 0x13558: add si, ax 0x1355a: rep movsb byte ptr es:[di], byte ptr [si] 0x1355c: ret 0x1355d: mov di, sp 0x1355f: call 0x13563 0x13562: ret 0x13563: dec di 0x13564: dec di
2018-12-17T22:16:42.915391195Z	42	PC: 13544 \| Get date 0x13544: xchg ax, dx 0x13545: xor ax, 0xffff 0x13548: xor dx, dx 0x1354a: div bx 0x1354c: xchg ax, dx 0x1354d: pop cx 0x1354e: pop dx 0x1354f: pop bx 0x13550: ret 0x13551: call 0x2353c 0x13554: mov cx, bx 0x13556: mul bx 0x13558: add si, ax 0x1355a: rep movsb byte ptr es:[di], byte ptr [si] 0x1355c: ret 0x1355d: mov di, sp 0x1355f: call 0x13563 0x13562: ret 0x13563: dec di 0x13564: dec di
2018-12-17T22:16:42.917941082Z	42	PC: 13544 \| Get date 0x13544: xchg ax, dx 0x13545: xor ax, 0xffff 0x13548: xor dx, dx 0x1354a: div bx 0x1354c: xchg ax, dx 0x1354d: pop cx 0x1354e: pop dx 0x1354f: pop bx 0x13550: ret 0x13551: call 0x2353c 0x13554: mov cx, bx 0x13556: mul bx 0x13558: add si, ax 0x1355a: rep movsb byte ptr es:[di], byte ptr [si] 0x1355c: ret 0x1355d: mov di, sp 0x1355f: call 0x13563 0x13562: ret 0x13563: dec di 0x13564: dec di
2018-12-17T22:16:42.921338203Z	44	PC: 134da \| Get time 0x134da: mov byte ptr cs:[bp + 0x11c8], dl 0x134df: lea si, word ptr [bp + 0x1b6] 0x134e3: lea di, word ptr [bp + 0x11c9] 0x134e7: mov cx, 0x1012 0x134ea: mov al, byte ptr cs:[bp + 0x11c7] 0x134ef: cmp al, 0 0x134f1: je 0x1352b 0x134f3: cmp al, 1 0x134f5: je 0x13523 0x134f7: cmp al, 2 0x134f9: je 0x1351b 0x134fb: cmp al, 3 0x134fd: je 0x13513 0x134ff: cmp al, 4 0x13501: je 0x1350b 0x13503: lodsb al, byte ptr [si] 0x13504: neg al 0x13506: stosb byte ptr es:[di], al 0x13507: loop 0x13503 0x13509: jmp 0x13531
2018-12-17T22:16:42.925049266Z	64	PC: 1300e \| Write file or device (Write 135 bytes on handle 5)
2018-12-17T22:16:42.932517034Z	64	PC: 13022 \| Write file or device (Write 4115 bytes on handle 5)
2018-12-17T22:16:42.942900343Z	66	PC: 13039 \| Move file pointer
2018-12-17T22:16:42.944191012Z	64	PC: 1304d \| Write file or device (Write 4 bytes on handle 5)
2018-12-17T22:16:42.947570952Z	87	PC: 1306a \| Get or set file date and time
2018-12-17T22:16:42.949449461Z	62	PC: 1306e \| Close file
2018-12-17T22:16:42.956585734Z	67	PC: 13084 \| Get or set file attributes
2018-12-17T22:16:42.961284844Z	44	PC: 12ede \| Get time 0x12ede: cmp cl, 0x1e 0x12ee1: jne 0x12eeb 0x12ee3: cmp dh, 0xf 0x12ee6: ja 0x12eeb 0x12ee8: jmp 0x13091 0x12eeb: cmp byte ptr cs:[0], 0xcd 0x12ef1: je 0x12f17 0x12ef3: mov ax, es 0x12ef5: add ax, 0x10 0x12ef8: add word ptr cs:[bp + 0x5d1], ax 0x12efd: cli 0x12efe: add ax, word ptr cs:[bp + 0x5d3] 0x12f03: mov ss, ax 0x12f05: mov sp, word ptr cs:[bp + 0x5d5] 0x12f0a: sti 0x12f0b: call 0x12f32 0x12f0e: ljmp 0x9090:0x9090 0x12f13: nop 0x12f14: nop 0x12f15: nop
2018-12-17T22:16:42.964395683Z	9	PC: 12a4b \| Display string (String= '------Fake host execution-----')
2018-12-17T22:16:42.966687973Z	76	PC: 12a50 \| Terminate with return code (Return code = '0')

{"DateBased":false,"Day":0,"Month":0,"Year":0,"Hour":0,"Min":0,"Second":0,"TimeBased":true,"OriginalID":2967,"SideJobID":0}

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T11:47:53.545725338Z	105	PC: 12aff \| Get or set media id
2018-12-25T11:47:53.547022732Z	74	PC: 12b18 \| Reallocate memory
2018-12-25T11:47:53.548985281Z	74	PC: 12b29 \| Reallocate memory
2018-12-25T11:47:53.55016946Z	72	PC: 12b39 \| Allocate memory
2018-12-25T11:47:53.551545734Z	53	PC: 12b6a \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T11:47:53.552647839Z	37	PC: 12b84 \| Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T11:47:53.55363547Z	78	PC: 12f53 \| Find first file
2018-12-25T11:47:53.562828641Z	67	PC: 12f65 \| Get or set file attributes
2018-12-25T11:47:53.569285896Z	67	PC: 12f79 \| Get or set file attributes
2018-12-25T11:47:55.106354208Z	61	PC: 12f82 \| Open file (Filename = 'C:\WINDOWS\WIN.COM')
2018-12-25T11:47:55.113217604Z	87	PC: 12f97 \| Get or set file date and time
2018-12-25T11:47:55.115371651Z	63	PC: 12fad \| Read file or device (Read 4 bytes on handle 5)
2018-12-25T11:47:55.121426353Z	66	PC: 12ff3 \| Move file pointer
2018-12-25T11:47:55.12283606Z	42	PC: 13544 \| Get date 0x13544: xchg ax, dx 0x13545: xor ax, 0xffff 0x13548: xor dx, dx 0x1354a: div bx 0x1354c: xchg ax, dx 0x1354d: pop cx 0x1354e: pop dx 0x1354f: pop bx 0x13550: ret 0x13551: call 0x2353c 0x13554: mov cx, bx 0x13556: mul bx 0x13558: add si, ax 0x1355a: rep movsb byte ptr es:[di], byte ptr [si] 0x1355c: ret 0x1355d: mov di, sp 0x1355f: call 0x13563 0x13562: ret 0x13563: dec di 0x13564: dec di
2018-12-25T11:47:55.125869613Z	42	PC: 13544 \| Get date (See above)
2018-12-25T11:47:55.128034362Z	42	PC: 13544 \| Get date (See above)
2018-12-25T11:47:55.130085908Z	42	PC: 13544 \| Get date (See above)
2018-12-25T11:47:55.132705388Z	42	PC: 13544 \| Get date (See above)
2018-12-25T11:47:55.134845517Z	42	PC: 13544 \| Get date (See above)
2018-12-25T11:47:55.136924109Z	42	PC: 13544 \| Get date (See above)
2018-12-25T11:47:55.13948887Z	42	PC: 13544 \| Get date (See above)
2018-12-25T11:47:55.141600457Z	42	PC: 13544 \| Get date (See above)
2018-12-25T11:47:55.14369957Z	42	PC: 13544 \| Get date (See above)
2018-12-25T11:47:55.147017959Z	42	PC: 13544 \| Get date (See above)
2018-12-25T11:47:55.149098931Z	42	PC: 13544 \| Get date (See above)
2018-12-25T11:47:55.151172052Z	42	PC: 13544 \| Get date (See above)
2018-12-25T11:47:55.153752434Z	42	PC: 13544 \| Get date (See above)
2018-12-25T11:47:55.155418661Z	42	PC: 13544 \| Get date (See above)
2018-12-25T11:47:55.157058675Z	42	PC: 13544 \| Get date (See above)
2018-12-25T11:47:55.159236072Z	44	PC: 134da \| Get time 0x134da: mov byte ptr cs:[bp + 0x11c8], dl 0x134df: lea si, word ptr [bp + 0x1b6] 0x134e3: lea di, word ptr [bp + 0x11c9] 0x134e7: mov cx, 0x1012 0x134ea: mov al, byte ptr cs:[bp + 0x11c7] 0x134ef: cmp al, 0 0x134f1: je 0x1352b 0x134f3: cmp al, 1 0x134f5: je 0x13523 0x134f7: cmp al, 2 0x134f9: je 0x1351b 0x134fb: cmp al, 3 0x134fd: je 0x13513 0x134ff: cmp al, 4 0x13501: je 0x1350b 0x13503: lodsb al, byte ptr [si] 0x13504: neg al 0x13506: stosb byte ptr es:[di], al 0x13507: loop 0x13503 0x13509: jmp 0x13531
2018-12-25T11:47:55.161166946Z	64	PC: 1300e \| Write file or device (Write 135 bytes on handle 5)
2018-12-25T11:47:55.167462867Z	64	PC: 13022 \| Write file or device (Write 4115 bytes on handle 5)
2018-12-25T11:47:55.177702568Z	66	PC: 13039 \| Move file pointer
2018-12-25T11:47:55.179624583Z	64	PC: 1304d \| Write file or device (Write 4 bytes on handle 5)
2018-12-25T11:47:55.182785413Z	87	PC: 1306a \| Get or set file date and time
2018-12-25T11:47:55.184761944Z	62	PC: 1306e \| Close file
2018-12-25T11:47:55.198181987Z	67	PC: 13084 \| Get or set file attributes
2018-12-25T11:47:55.202526277Z	44	PC: 12ede \| Get time 0x12ede: cmp cl, 0x1e 0x12ee1: jne 0x12eeb 0x12ee3: cmp dh, 0xf 0x12ee6: ja 0x12eeb 0x12ee8: jmp 0x13091 0x12eeb: cmp byte ptr cs:[0], 0xcd 0x12ef1: je 0x12f17 0x12ef3: mov ax, es 0x12ef5: add ax, 0x10 0x12ef8: add word ptr cs:[bp + 0x5d1], ax 0x12efd: cli 0x12efe: add ax, word ptr cs:[bp + 0x5d3] 0x12f03: mov ss, ax 0x12f05: mov sp, word ptr cs:[bp + 0x5d5] 0x12f0a: sti 0x12f0b: call 0x12f32 0x12f0e: ljmp 0x9090:0x9090 0x12f13: nop 0x12f14: nop 0x12f15: nop
2018-12-25T11:47:55.205474812Z	9	PC: 12a4b \| Display string (String= '------Fake host execution-----')
2018-12-25T11:47:55.207678739Z	76	PC: 12a50 \| Terminate with return code (Return code = '0')

{"DateBased":false,"Day":0,"Month":0,"Year":0,"Hour":0,"Min":30,"Second":0,"TimeBased":true,"OriginalID":2967,"SideJobID":0}

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T11:47:54.066890174Z	105	PC: 12aff \| Get or set media id
2018-12-25T11:47:54.069002806Z	74	PC: 12b18 \| Reallocate memory
2018-12-25T11:47:54.070441006Z	74	PC: 12b29 \| Reallocate memory
2018-12-25T11:47:54.071538214Z	72	PC: 12b39 \| Allocate memory
2018-12-25T11:47:54.07347754Z	53	PC: 12b6a \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T11:47:54.074639364Z	37	PC: 12b84 \| Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T11:47:54.075974808Z	78	PC: 12f53 \| Find first file
2018-12-25T11:47:54.085334073Z	67	PC: 12f65 \| Get or set file attributes
2018-12-25T11:47:54.09117496Z	67	PC: 12f79 \| Get or set file attributes
2018-12-25T11:47:55.106914844Z	61	PC: 12f82 \| Open file (Filename = 'C:\WINDOWS\WIN.COM')
2018-12-25T11:47:55.115010726Z	87	PC: 12f97 \| Get or set file date and time
2018-12-25T11:47:55.116534996Z	63	PC: 12fad \| Read file or device (Read 4 bytes on handle 5)
2018-12-25T11:47:55.123063469Z	66	PC: 12ff3 \| Move file pointer
2018-12-25T11:47:55.12519986Z	42	PC: 13544 \| Get date 0x13544: xchg ax, dx 0x13545: xor ax, 0xffff 0x13548: xor dx, dx 0x1354a: div bx 0x1354c: xchg ax, dx 0x1354d: pop cx 0x1354e: pop dx 0x1354f: pop bx 0x13550: ret 0x13551: call 0x2353c 0x13554: mov cx, bx 0x13556: mul bx 0x13558: add si, ax 0x1355a: rep movsb byte ptr es:[di], byte ptr [si] 0x1355c: ret 0x1355d: mov di, sp 0x1355f: call 0x13563 0x13562: ret 0x13563: dec di 0x13564: dec di
2018-12-25T11:47:55.127494017Z	42	PC: 13544 \| Get date (See above)
2018-12-25T11:47:55.130036229Z	42	PC: 13544 \| Get date (See above)
2018-12-25T11:47:55.133572146Z	42	PC: 13544 \| Get date (See above)
2018-12-25T11:47:55.135756815Z	42	PC: 13544 \| Get date (See above)
2018-12-25T11:47:55.137886509Z	42	PC: 13544 \| Get date (See above)
2018-12-25T11:47:55.140020803Z	42	PC: 13544 \| Get date (See above)
2018-12-25T11:47:55.146893306Z	42	PC: 13544 \| Get date (See above)
2018-12-25T11:47:55.149017677Z	42	PC: 13544 \| Get date (See above)
2018-12-25T11:47:55.151089981Z	42	PC: 13544 \| Get date (See above)
2018-12-25T11:47:55.154594066Z	42	PC: 13544 \| Get date (See above)
2018-12-25T11:47:55.156953991Z	42	PC: 13544 \| Get date (See above)
2018-12-25T11:47:55.159317612Z	42	PC: 13544 \| Get date (See above)
2018-12-25T11:47:55.162249128Z	42	PC: 13544 \| Get date (See above)
2018-12-25T11:47:55.164365888Z	42	PC: 13544 \| Get date (See above)
2018-12-25T11:47:55.166433721Z	42	PC: 13544 \| Get date (See above)
2018-12-25T11:47:55.168975756Z	44	PC: 134da \| Get time 0x134da: mov byte ptr cs:[bp + 0x11c8], dl 0x134df: lea si, word ptr [bp + 0x1b6] 0x134e3: lea di, word ptr [bp + 0x11c9] 0x134e7: mov cx, 0x1012 0x134ea: mov al, byte ptr cs:[bp + 0x11c7] 0x134ef: cmp al, 0 0x134f1: je 0x1352b 0x134f3: cmp al, 1 0x134f5: je 0x13523 0x134f7: cmp al, 2 0x134f9: je 0x1351b 0x134fb: cmp al, 3 0x134fd: je 0x13513 0x134ff: cmp al, 4 0x13501: je 0x1350b 0x13503: lodsb al, byte ptr [si] 0x13504: neg al 0x13506: stosb byte ptr es:[di], al 0x13507: loop 0x13503 0x13509: jmp 0x13531
2018-12-25T11:47:55.171724725Z	64	PC: 1300e \| Write file or device (Write 135 bytes on handle 5)
2018-12-25T11:47:55.178028707Z	64	PC: 13022 \| Write file or device (Write 4115 bytes on handle 5)
2018-12-25T11:47:55.189233267Z	66	PC: 13039 \| Move file pointer
2018-12-25T11:47:55.190846416Z	64	PC: 1304d \| Write file or device (Write 4 bytes on handle 5)
2018-12-25T11:47:55.193888167Z	87	PC: 1306a \| Get or set file date and time
2018-12-25T11:47:55.197170717Z	62	PC: 1306e \| Close file
2018-12-25T11:47:55.204537511Z	67	PC: 13084 \| Get or set file attributes
2018-12-25T11:47:55.208959468Z	44	PC: 12ede \| Get time 0x12ede: cmp cl, 0x1e 0x12ee1: jne 0x12eeb 0x12ee3: cmp dh, 0xf 0x12ee6: ja 0x12eeb 0x12ee8: jmp 0x13091 0x12eeb: cmp byte ptr cs:[0], 0xcd 0x12ef1: je 0x12f17 0x12ef3: mov ax, es 0x12ef5: add ax, 0x10 0x12ef8: add word ptr cs:[bp + 0x5d1], ax 0x12efd: cli 0x12efe: add ax, word ptr cs:[bp + 0x5d3] 0x12f03: mov ss, ax 0x12f05: mov sp, word ptr cs:[bp + 0x5d5] 0x12f0a: sti 0x12f0b: call 0x12f32 0x12f0e: ljmp 0x9090:0x9090 0x12f13: nop 0x12f14: nop 0x12f15: nop
2018-12-25T11:47:55.218889091Z	42	PC: 13544 \| Get date (See above)

{"DateBased":false,"Day":0,"Month":0,"Year":0,"Hour":0,"Min":30,"Second":16,"TimeBased":true,"OriginalID":2967,"SideJobID":0}

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T11:47:54.161130465Z	105	PC: 12aff \| Get or set media id
2018-12-25T11:47:54.163023539Z	74	PC: 12b18 \| Reallocate memory
2018-12-25T11:47:54.164687282Z	74	PC: 12b29 \| Reallocate memory
2018-12-25T11:47:54.165904198Z	72	PC: 12b39 \| Allocate memory
2018-12-25T11:47:54.167705267Z	53	PC: 12b6a \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T11:47:54.170385262Z	37	PC: 12b84 \| Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T11:47:54.173384462Z	78	PC: 12f53 \| Find first file
2018-12-25T11:47:54.18350168Z	67	PC: 12f65 \| Get or set file attributes
2018-12-25T11:47:54.200768697Z	67	PC: 12f79 \| Get or set file attributes
2018-12-25T11:47:55.847735368Z	61	PC: 12f82 \| Open file (Filename = 'C:\WINDOWS\WIN.COM')
2018-12-25T11:47:55.855753161Z	87	PC: 12f97 \| Get or set file date and time
2018-12-25T11:47:55.857865674Z	63	PC: 12fad \| Read file or device (Read 4 bytes on handle 5)
2018-12-25T11:47:55.889502975Z	66	PC: 12ff3 \| Move file pointer
2018-12-25T11:47:55.891199172Z	42	PC: 13544 \| Get date 0x13544: xchg ax, dx 0x13545: xor ax, 0xffff 0x13548: xor dx, dx 0x1354a: div bx 0x1354c: xchg ax, dx 0x1354d: pop cx 0x1354e: pop dx 0x1354f: pop bx 0x13550: ret 0x13551: call 0x2353c 0x13554: mov cx, bx 0x13556: mul bx 0x13558: add si, ax 0x1355a: rep movsb byte ptr es:[di], byte ptr [si] 0x1355c: ret 0x1355d: mov di, sp 0x1355f: call 0x13563 0x13562: ret 0x13563: dec di 0x13564: dec di
2018-12-25T11:47:55.895533442Z	42	PC: 13544 \| Get date (See above)
2018-12-25T11:47:55.898047301Z	42	PC: 13544 \| Get date (See above)
2018-12-25T11:47:55.900551218Z	42	PC: 13544 \| Get date (See above)
2018-12-25T11:47:55.903436958Z	42	PC: 13544 \| Get date (See above)
2018-12-25T11:47:55.905876671Z	42	PC: 13544 \| Get date (See above)
2018-12-25T11:47:55.907471727Z	42	PC: 13544 \| Get date (See above)
2018-12-25T11:47:55.909195526Z	42	PC: 13544 \| Get date (See above)
2018-12-25T11:47:55.9111732Z	42	PC: 13544 \| Get date (See above)
2018-12-25T11:47:55.913684592Z	42	PC: 13544 \| Get date (See above)
2018-12-25T11:47:55.916106988Z	42	PC: 13544 \| Get date (See above)
2018-12-25T11:47:55.918662404Z	42	PC: 13544 \| Get date (See above)
2018-12-25T11:47:55.921149584Z	42	PC: 13544 \| Get date (See above)
2018-12-25T11:47:55.923509284Z	42	PC: 13544 \| Get date (See above)
2018-12-25T11:47:55.926483672Z	42	PC: 13544 \| Get date (See above)
2018-12-25T11:47:55.928746862Z	42	PC: 13544 \| Get date (See above)
2018-12-25T11:47:55.931064305Z	44	PC: 134da \| Get time 0x134da: mov byte ptr cs:[bp + 0x11c8], dl 0x134df: lea si, word ptr [bp + 0x1b6] 0x134e3: lea di, word ptr [bp + 0x11c9] 0x134e7: mov cx, 0x1012 0x134ea: mov al, byte ptr cs:[bp + 0x11c7] 0x134ef: cmp al, 0 0x134f1: je 0x1352b 0x134f3: cmp al, 1 0x134f5: je 0x13523 0x134f7: cmp al, 2 0x134f9: je 0x1351b 0x134fb: cmp al, 3 0x134fd: je 0x13513 0x134ff: cmp al, 4 0x13501: je 0x1350b 0x13503: lodsb al, byte ptr [si] 0x13504: neg al 0x13506: stosb byte ptr es:[di], al 0x13507: loop 0x13503 0x13509: jmp 0x13531
2018-12-25T11:47:55.93462812Z	64	PC: 1300e \| Write file or device (Write 135 bytes on handle 5)
2018-12-25T11:47:55.941865065Z	64	PC: 13022 \| Write file or device (Write 4115 bytes on handle 5)
2018-12-25T11:47:55.970239215Z	66	PC: 13039 \| Move file pointer
2018-12-25T11:47:55.975223808Z	64	PC: 1304d \| Write file or device (Write 4 bytes on handle 5)
2018-12-25T11:47:55.978230068Z	87	PC: 1306a \| Get or set file date and time
2018-12-25T11:47:55.979777543Z	62	PC: 1306e \| Close file
2018-12-25T11:47:56.016799081Z	67	PC: 13084 \| Get or set file attributes
2018-12-25T11:47:56.019911742Z	44	PC: 12ede \| Get time 0x12ede: cmp cl, 0x1e 0x12ee1: jne 0x12eeb 0x12ee3: cmp dh, 0xf 0x12ee6: ja 0x12eeb 0x12ee8: jmp 0x13091 0x12eeb: cmp byte ptr cs:[0], 0xcd 0x12ef1: je 0x12f17 0x12ef3: mov ax, es 0x12ef5: add ax, 0x10 0x12ef8: add word ptr cs:[bp + 0x5d1], ax 0x12efd: cli 0x12efe: add ax, word ptr cs:[bp + 0x5d3] 0x12f03: mov ss, ax 0x12f05: mov sp, word ptr cs:[bp + 0x5d5] 0x12f0a: sti 0x12f0b: call 0x12f32 0x12f0e: ljmp 0x9090:0x9090 0x12f13: nop 0x12f14: nop 0x12f15: nop
2018-12-25T11:47:56.022602214Z	9	PC: 12a4b \| Display string (String= '------Fake host execution-----')
2018-12-25T11:47:56.026377654Z	76	PC: 12a50 \| Terminate with return code (Return code = '0')