{"DateBased":true,"Day":1,"Month":1,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":true,"OriginalID":3639,"SideJobID":0}
.
GIF
Syscalls:
| Time | Syscall Op | Syscall Name |
|---|---|---|
| 2018-12-25T11:49:49.202309091Z | 42 | PC: 12b06 | Get date 0x12b06: cmp cx, 0x7cb 0x12b0a: jne 0x12b11 0x12b0c: cmp dh, 3 0x12b0f: jb 0x12b3a 0x12b11: mov al, 0xff 0x12b13: mov ah, 0xf 0x12b15: xchg al, ah 0x12b17: nop 0x12b18: int 0x21 0x12b1a: cmp ax, 0x101 0x12b1d: je 0x12b3a 0x12b1f: xor ax, ax 0x12b21: mov es, ax 0x12b23: cmp word ptr es:[0x54], 0x96b 0x12b2a: je 0x12b3a 0x12b2c: mov ah, 0x30 0x12b2e: add ah, 0x40 0x12b31: nop 0x12b32: mov al, 0xf0 0x12b34: xchg al, ah |
| 2018-12-25T11:49:49.204360136Z | 255 | PC: 12b1a | UNKNOWN! |
| 2018-12-25T11:49:49.205004398Z | 240 | PC: 12b38 | UNKNOWN! |
| 2018-12-25T11:49:49.206544401Z | 74 | PC: 12fa9 | Reallocate memory |
| 2018-12-25T11:49:49.209501494Z | 75 | PC: 12ff5 | Execute program |
| 2018-12-25T11:49:49.223335824Z | 42 | PC: 13416 | Get date 0x13416: cmp cx, 0x7cb 0x1341a: jne 0x13421 0x1341c: cmp dh, 3 0x1341f: jb 0x1344a 0x13421: mov al, 0xff 0x13423: mov ah, 0xf 0x13425: xchg al, ah 0x13427: nop 0x13428: int 0x21 0x1342a: cmp ax, 0x101 0x1342d: je 0x1344a 0x1342f: xor ax, ax 0x13431: mov es, ax 0x13433: cmp word ptr es:[0x54], 0x96b 0x1343a: je 0x1344a 0x1343c: mov ah, 0x30 0x1343e: add ah, 0x40 0x13441: nop 0x13442: mov al, 0xf0 0x13444: xchg al, ah |
| 2018-12-25T11:49:49.225598447Z | 255 | PC: 1342a | UNKNOWN! |
| 2018-12-25T11:49:49.226976506Z | 9 | PC: 13357 | Display string (String= 'This file is infected with Wanderer.II VIRUS! ') |
| 2018-12-25T11:49:49.232218943Z | 76 | PC: 1335c | Terminate with return code (Return code = '0') |
| 2018-12-25T11:49:49.234956756Z | 73 | PC: 12c45 | Release memory |
| 2018-12-25T11:49:49.236492244Z | 44 | PC: 13003 | Get time 0x13003: cmp cl, 0 0x13006: je 0x13010 0x13008: mov al, 0x31 0x1300a: mov dx, 0x89 0x1300d: call 0x22c3c 0x13010: push cs 0x13011: pop ds 0x13012: push cs 0x13013: pop es 0x13014: call 0x22aeb 0x13017: and al, 2 0x13019: cmp al, 2 0x1301b: jne 0x1304b 0x1301d: mov ah, 0x19 0x1301f: int 0x21 0x13021: mov dl, al 0x13023: cmp dl, 2 0x13026: jb 0x1302b 0x13028: add dl, 0x7e 0x1302b: mov ax, 0x309 |
{"DateBased":true,"Day":1,"Month":1,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":true,"OriginalID":3639,"SideJobID":0}
.
GIF
Syscalls:
| Time | Syscall Op | Syscall Name |
|---|---|---|
| 2018-12-25T11:49:49.236601993Z | 42 | PC: 12b06 | Get date 0x12b06: cmp cx, 0x7cb 0x12b0a: jne 0x12b11 0x12b0c: cmp dh, 3 0x12b0f: jb 0x12b3a 0x12b11: mov al, 0xff 0x12b13: mov ah, 0xf 0x12b15: xchg al, ah 0x12b17: nop 0x12b18: int 0x21 0x12b1a: cmp ax, 0x101 0x12b1d: je 0x12b3a 0x12b1f: xor ax, ax 0x12b21: mov es, ax 0x12b23: cmp word ptr es:[0x54], 0x96b 0x12b2a: je 0x12b3a 0x12b2c: mov ah, 0x30 0x12b2e: add ah, 0x40 0x12b31: nop 0x12b32: mov al, 0xf0 0x12b34: xchg al, ah |
| 2018-12-25T11:49:49.240713636Z | 255 | PC: 12b1a | UNKNOWN! |
| 2018-12-25T11:49:49.242122974Z | 240 | PC: 12b38 | UNKNOWN! |
| 2018-12-25T11:49:49.244880933Z | 74 | PC: 12fa9 | Reallocate memory |
| 2018-12-25T11:49:49.247669064Z | 75 | PC: 12ff5 | Execute program |
| 2018-12-25T11:49:49.264882309Z | 42 | PC: 13416 | Get date 0x13416: cmp cx, 0x7cb 0x1341a: jne 0x13421 0x1341c: cmp dh, 3 0x1341f: jb 0x1344a 0x13421: mov al, 0xff 0x13423: mov ah, 0xf 0x13425: xchg al, ah 0x13427: nop 0x13428: int 0x21 0x1342a: cmp ax, 0x101 0x1342d: je 0x1344a 0x1342f: xor ax, ax 0x13431: mov es, ax 0x13433: cmp word ptr es:[0x54], 0x96b 0x1343a: je 0x1344a 0x1343c: mov ah, 0x30 0x1343e: add ah, 0x40 0x13441: nop 0x13442: mov al, 0xf0 0x13444: xchg al, ah |
| 2018-12-25T11:49:49.267489599Z | 255 | PC: 1342a | UNKNOWN! |
| 2018-12-25T11:49:49.269164847Z | 9 | PC: 13357 | Display string (String= 'This file is infected with Wanderer.II VIRUS! ') |
| 2018-12-25T11:49:49.277181423Z | 76 | PC: 1335c | Terminate with return code (Return code = '0') |
| 2018-12-25T11:49:49.281103423Z | 73 | PC: 12c45 | Release memory |
| 2018-12-25T11:49:49.283614344Z | 44 | PC: 13003 | Get time 0x13003: cmp cl, 0 0x13006: je 0x13010 0x13008: mov al, 0x31 0x1300a: mov dx, 0x89 0x1300d: call 0x22c3c 0x13010: push cs 0x13011: pop ds 0x13012: push cs 0x13013: pop es 0x13014: call 0x22aeb 0x13017: and al, 2 0x13019: cmp al, 2 0x1301b: jne 0x1304b 0x1301d: mov ah, 0x19 0x1301f: int 0x21 0x13021: mov dl, al 0x13023: cmp dl, 2 0x13026: jb 0x1302b 0x13028: add dl, 0x7e 0x1302b: mov ax, 0x309 |
{"DateBased":true,"Day":1,"Month":1,"Year":1980,"Hour":0,"Min":1,"Second":0,"TimeBased":true,"OriginalID":3639,"SideJobID":0}
.
GIF
Syscalls:
| Time | Syscall Op | Syscall Name |
|---|---|---|
| 2018-12-25T11:49:49.564788788Z | 42 | PC: 12b06 | Get date 0x12b06: cmp cx, 0x7cb 0x12b0a: jne 0x12b11 0x12b0c: cmp dh, 3 0x12b0f: jb 0x12b3a 0x12b11: mov al, 0xff 0x12b13: mov ah, 0xf 0x12b15: xchg al, ah 0x12b17: nop 0x12b18: int 0x21 0x12b1a: cmp ax, 0x101 0x12b1d: je 0x12b3a 0x12b1f: xor ax, ax 0x12b21: mov es, ax 0x12b23: cmp word ptr es:[0x54], 0x96b 0x12b2a: je 0x12b3a 0x12b2c: mov ah, 0x30 0x12b2e: add ah, 0x40 0x12b31: nop 0x12b32: mov al, 0xf0 0x12b34: xchg al, ah |
| 2018-12-25T11:49:49.568078128Z | 255 | PC: 12b1a | UNKNOWN! |
| 2018-12-25T11:49:49.569286039Z | 240 | PC: 12b38 | UNKNOWN! |
| 2018-12-25T11:49:49.571255937Z | 74 | PC: 12fa9 | Reallocate memory |
| 2018-12-25T11:49:49.573137504Z | 75 | PC: 12ff5 | Execute program |
| 2018-12-25T11:49:49.589091993Z | 42 | PC: 13416 | Get date 0x13416: cmp cx, 0x7cb 0x1341a: jne 0x13421 0x1341c: cmp dh, 3 0x1341f: jb 0x1344a 0x13421: mov al, 0xff 0x13423: mov ah, 0xf 0x13425: xchg al, ah 0x13427: nop 0x13428: int 0x21 0x1342a: cmp ax, 0x101 0x1342d: je 0x1344a 0x1342f: xor ax, ax 0x13431: mov es, ax 0x13433: cmp word ptr es:[0x54], 0x96b 0x1343a: je 0x1344a 0x1343c: mov ah, 0x30 0x1343e: add ah, 0x40 0x13441: nop 0x13442: mov al, 0xf0 0x13444: xchg al, ah |
| 2018-12-25T11:49:49.59151799Z | 255 | PC: 1342a | UNKNOWN! |
| 2018-12-25T11:49:49.592663058Z | 9 | PC: 13357 | Display string (String= 'This file is infected with Wanderer.II VIRUS! ') |
| 2018-12-25T11:49:49.599226386Z | 76 | PC: 1335c | Terminate with return code (Return code = '0') |
| 2018-12-25T11:49:49.60255343Z | 73 | PC: 12c45 | Release memory |
| 2018-12-25T11:49:49.604149596Z | 44 | PC: 13003 | Get time 0x13003: cmp cl, 0 0x13006: je 0x13010 0x13008: mov al, 0x31 0x1300a: mov dx, 0x89 0x1300d: call 0x22c3c 0x13010: push cs 0x13011: pop ds 0x13012: push cs 0x13013: pop es 0x13014: call 0x22aeb 0x13017: and al, 2 0x13019: cmp al, 2 0x1301b: jne 0x1304b 0x1301d: mov ah, 0x19 0x1301f: int 0x21 0x13021: mov dl, al 0x13023: cmp dl, 2 0x13026: jb 0x1302b 0x13028: add dl, 0x7e 0x1302b: mov ax, 0x309 |
| 2018-12-25T11:49:49.607381953Z | 49 | PC: 12c45 | Terminate and stay resident (See above) |
{"DateBased":true,"Day":1,"Month":1,"Year":1980,"Hour":0,"Min":1,"Second":0,"TimeBased":true,"OriginalID":3639,"SideJobID":0}
.
GIF
Syscalls:
| Time | Syscall Op | Syscall Name |
|---|---|---|
| 2018-12-25T11:49:49.547317754Z | 42 | PC: 12b06 | Get date 0x12b06: cmp cx, 0x7cb 0x12b0a: jne 0x12b11 0x12b0c: cmp dh, 3 0x12b0f: jb 0x12b3a 0x12b11: mov al, 0xff 0x12b13: mov ah, 0xf 0x12b15: xchg al, ah 0x12b17: nop 0x12b18: int 0x21 0x12b1a: cmp ax, 0x101 0x12b1d: je 0x12b3a 0x12b1f: xor ax, ax 0x12b21: mov es, ax 0x12b23: cmp word ptr es:[0x54], 0x96b 0x12b2a: je 0x12b3a 0x12b2c: mov ah, 0x30 0x12b2e: add ah, 0x40 0x12b31: nop 0x12b32: mov al, 0xf0 0x12b34: xchg al, ah |
| 2018-12-25T11:49:49.550394876Z | 255 | PC: 12b1a | UNKNOWN! |
| 2018-12-25T11:49:49.551458811Z | 240 | PC: 12b38 | UNKNOWN! |
| 2018-12-25T11:49:49.553325025Z | 74 | PC: 12fa9 | Reallocate memory |
| 2018-12-25T11:49:49.555461701Z | 75 | PC: 12ff5 | Execute program |
| 2018-12-25T11:49:49.577446203Z | 42 | PC: 13416 | Get date 0x13416: cmp cx, 0x7cb 0x1341a: jne 0x13421 0x1341c: cmp dh, 3 0x1341f: jb 0x1344a 0x13421: mov al, 0xff 0x13423: mov ah, 0xf 0x13425: xchg al, ah 0x13427: nop 0x13428: int 0x21 0x1342a: cmp ax, 0x101 0x1342d: je 0x1344a 0x1342f: xor ax, ax 0x13431: mov es, ax 0x13433: cmp word ptr es:[0x54], 0x96b 0x1343a: je 0x1344a 0x1343c: mov ah, 0x30 0x1343e: add ah, 0x40 0x13441: nop 0x13442: mov al, 0xf0 0x13444: xchg al, ah |
| 2018-12-25T11:49:49.579993939Z | 255 | PC: 1342a | UNKNOWN! |
| 2018-12-25T11:49:49.583030255Z | 9 | PC: 13357 | Display string (String= 'This file is infected with Wanderer.II VIRUS! ') |
| 2018-12-25T11:49:49.59593113Z | 76 | PC: 1335c | Terminate with return code (Return code = '0') |
| 2018-12-25T11:49:49.59896572Z | 73 | PC: 12c45 | Release memory |
| 2018-12-25T11:49:49.600473868Z | 44 | PC: 13003 | Get time 0x13003: cmp cl, 0 0x13006: je 0x13010 0x13008: mov al, 0x31 0x1300a: mov dx, 0x89 0x1300d: call 0x22c3c 0x13010: push cs 0x13011: pop ds 0x13012: push cs 0x13013: pop es 0x13014: call 0x22aeb 0x13017: and al, 2 0x13019: cmp al, 2 0x1301b: jne 0x1304b 0x1301d: mov ah, 0x19 0x1301f: int 0x21 0x13021: mov dl, al 0x13023: cmp dl, 2 0x13026: jb 0x1302b 0x13028: add dl, 0x7e 0x1302b: mov ax, 0x309 |
| 2018-12-25T11:49:49.602790381Z | 49 | PC: 12c45 | Terminate and stay resident (See above) |