Sample viewer

vx.netlux.org/Virus.DOS.V.947

.

GIF

Syscalls:

Time Syscall Op Syscall Name
2018-12-17T22:29:13.097399563Z 170 PC: 1411c | UNKNOWN!
2018-12-17T22:29:13.099211922Z 53 PC: 9f888 | Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-17T22:29:13.10137187Z 37 PC: 9f89a | Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-17T22:29:13.10288862Z 42 PC: 9f89e | Get date 0x9f89e: cmp cx, 0x7ca
0x9f8a2: ja 0x9f8a9
0x9f8a4: cmp dh, 5
0x9f8a7: jb 0x9f919
0x9f8a9: cmp al, 0
0x9f8ab: jne 0x9f8cb
0x9f8ad: mov word ptr cs:[0x2e], 0x4e20
0x9f8b4: mov ax, 0x3508
0x9f8b7: int 0x21
0x9f8b9: mov word ptr cs:[0x12], bx
0x9f8be: mov word ptr cs:[0x14], es
0x9f8c3: mov ax, 0x2508
0x9f8c6: mov dx, 0x381
0x9f8c9: int 0x21
0x9f8cb: cmp al, 6
0x9f8cd: jne 0x9f8df
0x9f8cf: mov byte ptr cs:[0x2d], 1
0x9f8d5: mov word ptr cs:[0x30], 0x64
0x9f8dc: jmp 0x9f8e5
0x9f8de: nop
2018-12-17T22:29:13.105702316Z 53 PC: 9f907 | Get interrupt vector (Interrupt = '19' AKA 'Delete file')
2018-12-17T22:29:13.10799699Z 37 PC: 9f919 | Set interrupt vector (Interrupt = '19' AKA 'Delete file')
2018-12-17T22:29:13.109714274Z 67 PC: 9f997 | Get or set file attributes
2018-12-17T22:29:13.116476888Z 53 PC: 9f9a3 | Get interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-17T22:29:13.118186612Z 37 PC: 9f9b7 | Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-17T22:29:13.119391436Z 67 PC: 9f9c3 | Get or set file attributes
2018-12-17T22:29:13.474614056Z 61 PC: 9f9c8 | Open file (Filename = 'C:\COMMAND.COM')
2018-12-17T22:29:13.482045062Z 87 PC: 9f9d4 | Get or set file date and time
2018-12-17T22:29:13.484550986Z 66 PC: 9f9e9 | Move file pointer
2018-12-17T22:29:13.486112431Z 63 PC: 9fa0b | Read file or device (Read 4 bytes on handle 5)
2018-12-17T22:29:13.489876718Z 66 PC: 9fa23 | Move file pointer
2018-12-17T22:29:13.491431626Z 63 PC: 9fa2d | Read file or device (Read 3 bytes on handle 5)
2018-12-17T22:29:13.494890876Z 66 PC: 9fa36 | Move file pointer
2018-12-17T22:29:13.497735303Z 64 PC: 9fa40 | Write file or device (Write 3 bytes on handle 5)
2018-12-17T22:29:13.500999669Z 66 PC: 9fa49 | Move file pointer
2018-12-17T22:29:13.502493079Z 64 PC: 9fa53 | Write file or device (Write 974 bytes on handle 5)
2018-12-17T22:29:13.514321226Z 87 PC: 9fa62 | Get or set file date and time
2018-12-17T22:29:13.516203411Z 62 PC: 9fa66 | Close file
2018-12-17T22:29:13.524711025Z 67 PC: 9fa70 | Get or set file attributes
2018-12-17T22:29:13.594737672Z 37 PC: 9fa7f | Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-17T22:29:13.595949339Z 171 PC: 9f926 | UNKNOWN!
2018-12-17T22:29:13.596845258Z 171 PC: 9f933 | UNKNOWN!
2018-12-17T22:29:13.598372874Z 48 PC: 12a63 | Get DOS version
2018-12-17T22:29:13.599547582Z 9 PC: 12a7a | Display string (String= ' --=[ Selfchecking AntiStealth Goat COM/EXE file, 01/06/01 ]=------------------ (c) 1995-2001 by ROSE SWE, Dipl.-Ing. Ralph Roth - Version 1.18 - Freeware ')
2018-12-17T22:29:13.608726535Z 61 PC: 12cb7 | Open file (Filename = '')
2018-12-17T22:29:13.616865452Z 9 PC: 12a88 | Display string (String= 'Self test: ')
2018-12-17T22:29:13.619117357Z 93 PC: 12b24 | File sharing functions
2018-12-17T22:29:13.620991115Z 9 PC: 12b03 | Display string (String= 'Size change=+03CEh/00974d. Virus might be activ? ')
2018-12-17T22:29:13.627456959Z 76 PC: 12b09 | Terminate with return code (Return code = '1')

{"DateBased":true,"Day":1,"Month":1,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":5217,"SideJobID":0}

.

GIF

Syscalls:

Time Syscall Op Syscall Name
2018-12-25T11:53:59.392445851Z 170 PC: 1411c | UNKNOWN!
2018-12-25T11:53:59.394252436Z 53 PC: 9f888 | Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T11:53:59.395608522Z 37 PC: 9f89a | Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T11:53:59.396697195Z 42 PC: 9f89e | Get date 0x9f89e: cmp cx, 0x7ca
0x9f8a2: ja 0x9f8a9
0x9f8a4: cmp dh, 5
0x9f8a7: jb 0x9f919
0x9f8a9: cmp al, 0
0x9f8ab: jne 0x9f8cb
0x9f8ad: mov word ptr cs:[0x2e], 0x4e20
0x9f8b4: mov ax, 0x3508
0x9f8b7: int 0x21
0x9f8b9: mov word ptr cs:[0x12], bx
0x9f8be: mov word ptr cs:[0x14], es
0x9f8c3: mov ax, 0x2508
0x9f8c6: mov dx, 0x381
0x9f8c9: int 0x21
0x9f8cb: cmp al, 6
0x9f8cd: jne 0x9f8df
0x9f8cf: mov byte ptr cs:[0x2d], 1
0x9f8d5: mov word ptr cs:[0x30], 0x64
0x9f8dc: jmp 0x9f8e5
0x9f8de: nop
2018-12-25T11:53:59.409640311Z 67 PC: 9f997 | Get or set file attributes
2018-12-25T11:53:59.415136541Z 53 PC: 9f9a3 | Get interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T11:53:59.41659971Z 37 PC: 9f9b7 | Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T11:53:59.419233764Z 67 PC: 9f9c3 | Get or set file attributes
2018-12-25T11:54:00.69733463Z 61 PC: 9f9c8 | Open file (Filename = 'C:\COMMAND.COM')
2018-12-25T11:54:00.703885065Z 87 PC: 9f9d4 | Get or set file date and time
2018-12-25T11:54:00.705897832Z 66 PC: 9f9e9 | Move file pointer
2018-12-25T11:54:00.707996376Z 63 PC: 9fa0b | Read file or device (Read 4 bytes on handle 5)
2018-12-25T11:54:00.711043414Z 66 PC: 9fa23 | Move file pointer
2018-12-25T11:54:00.712698766Z 63 PC: 9fa2d | Read file or device (Read 3 bytes on handle 5)
2018-12-25T11:54:00.715919148Z 66 PC: 9fa36 | Move file pointer
2018-12-25T11:54:00.717480381Z 64 PC: 9fa40 | Write file or device (Write 3 bytes on handle 5)
2018-12-25T11:54:00.720166984Z 66 PC: 9fa49 | Move file pointer
2018-12-25T11:54:00.722249056Z 64 PC: 9fa53 | Write file or device (Write 974 bytes on handle 5)
2018-12-25T11:54:00.738541857Z 87 PC: 9fa62 | Get or set file date and time
2018-12-25T11:54:00.740095747Z 62 PC: 9fa66 | Close file
2018-12-25T11:54:00.747471419Z 67 PC: 9fa70 | Get or set file attributes
2018-12-25T11:54:00.817226035Z 37 PC: 9fa7f | Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T11:54:00.818726546Z 171 PC: 9f926 | UNKNOWN!
2018-12-25T11:54:00.820883666Z 171 PC: 9f933 | UNKNOWN!
2018-12-25T11:54:00.822558763Z 48 PC: 12a63 | Get DOS version
2018-12-25T11:54:00.824051797Z 9 PC: 12a7a | Display string (String= ' --=[ Selfchecking AntiStealth Goat COM/EXE file, 01/06/01 ]=------------------ (c) 1995-2001 by ROSE SWE, Dipl.-Ing. Ralph Roth - Version 1.18 - Freeware ')
2018-12-25T11:54:00.841114752Z 61 PC: 12cb7 | Open file (Filename = '')
2018-12-25T11:54:00.848217941Z 9 PC: 12a88 | Display string (String= 'Self test: ')
2018-12-25T11:54:00.851979377Z 93 PC: 12b24 | File sharing functions
2018-12-25T11:54:00.854624982Z 9 PC: 12b03 | Display string (String= 'Size change=+03CEh/00974d. Virus might be activ? ')
2018-12-25T11:54:00.858709797Z 76 PC: 12b09 | Terminate with return code (Return code = '1')

{"DateBased":true,"Day":1,"Month":5,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":5217,"SideJobID":0}

.

GIF

Syscalls:

Time Syscall Op Syscall Name
2018-12-25T11:53:59.416479829Z 170 PC: 1411c | UNKNOWN!
2018-12-25T11:53:59.418714179Z 53 PC: 9f888 | Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T11:53:59.420382453Z 37 PC: 9f89a | Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T11:53:59.424788558Z 42 PC: 9f89e | Get date 0x9f89e: cmp cx, 0x7ca
0x9f8a2: ja 0x9f8a9
0x9f8a4: cmp dh, 5
0x9f8a7: jb 0x9f919
0x9f8a9: cmp al, 0
0x9f8ab: jne 0x9f8cb
0x9f8ad: mov word ptr cs:[0x2e], 0x4e20
0x9f8b4: mov ax, 0x3508
0x9f8b7: int 0x21
0x9f8b9: mov word ptr cs:[0x12], bx
0x9f8be: mov word ptr cs:[0x14], es
0x9f8c3: mov ax, 0x2508
0x9f8c6: mov dx, 0x381
0x9f8c9: int 0x21
0x9f8cb: cmp al, 6
0x9f8cd: jne 0x9f8df
0x9f8cf: mov byte ptr cs:[0x2d], 1
0x9f8d5: mov word ptr cs:[0x30], 0x64
0x9f8dc: jmp 0x9f8e5
0x9f8de: nop
2018-12-25T11:53:59.428365841Z 53 PC: 9f907 | Get interrupt vector (Interrupt = '19' AKA 'Delete file')
2018-12-25T11:53:59.431004211Z 37 PC: 9f919 | Set interrupt vector (Interrupt = '19' AKA 'Delete file')
2018-12-25T11:53:59.432619625Z 67 PC: 9f997 | Get or set file attributes
2018-12-25T11:53:59.439790166Z 53 PC: 9f9a3 | Get interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T11:53:59.442155884Z 37 PC: 9f9b7 | Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T11:53:59.443404999Z 67 PC: 9f9c3 | Get or set file attributes
2018-12-25T11:54:00.458983942Z 61 PC: 9f9c8 | Open file (Filename = 'C:\COMMAND.COM')
2018-12-25T11:54:00.474889862Z 87 PC: 9f9d4 | Get or set file date and time
2018-12-25T11:54:00.476910738Z 66 PC: 9f9e9 | Move file pointer
2018-12-25T11:54:00.479709869Z 63 PC: 9fa0b | Read file or device (Read 4 bytes on handle 5)
2018-12-25T11:54:00.485899277Z 66 PC: 9fa23 | Move file pointer
2018-12-25T11:54:00.488255137Z 63 PC: 9fa2d | Read file or device (Read 3 bytes on handle 5)
2018-12-25T11:54:00.492617735Z 66 PC: 9fa36 | Move file pointer
2018-12-25T11:54:00.495633739Z 64 PC: 9fa40 | Write file or device (Write 3 bytes on handle 5)
2018-12-25T11:54:00.499173002Z 66 PC: 9fa49 | Move file pointer
2018-12-25T11:54:00.501177553Z 64 PC: 9fa53 | Write file or device (Write 974 bytes on handle 5)
2018-12-25T11:54:00.513730691Z 87 PC: 9fa62 | Get or set file date and time
2018-12-25T11:54:00.516741914Z 62 PC: 9fa66 | Close file
2018-12-25T11:54:00.525939932Z 67 PC: 9fa70 | Get or set file attributes
2018-12-25T11:54:00.607877864Z 37 PC: 9fa7f | Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T11:54:00.612644532Z 171 PC: 9f926 | UNKNOWN!
2018-12-25T11:54:00.613806193Z 171 PC: 9f933 | UNKNOWN!
2018-12-25T11:54:00.614894404Z 48 PC: 12a63 | Get DOS version
2018-12-25T11:54:00.618096547Z 9 PC: 12a7a | Display string (String= ' --=[ Selfchecking AntiStealth Goat COM/EXE file, 01/06/01 ]=------------------ (c) 1995-2001 by ROSE SWE, Dipl.-Ing. Ralph Roth - Version 1.18 - Freeware ')
2018-12-25T11:54:00.6291399Z 61 PC: 12cb7 | Open file (Filename = '')
2018-12-25T11:54:00.636601638Z 9 PC: 12a88 | Display string (String= 'Self test: ')
2018-12-25T11:54:00.641451724Z 93 PC: 12b24 | File sharing functions
2018-12-25T11:54:00.643916353Z 9 PC: 12b03 | Display string (String= 'Size change=+03CEh/00974d. Virus might be activ? ')
2018-12-25T11:54:00.649047022Z 76 PC: 12b09 | Terminate with return code (Return code = '1')

{"DateBased":true,"Day":3,"Month":5,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":5217,"SideJobID":0}

.

GIF

Syscalls:

Time Syscall Op Syscall Name
2018-12-25T11:53:59.373147608Z 170 PC: 1411c | UNKNOWN!
2018-12-25T11:53:59.374367974Z 53 PC: 9f888 | Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T11:53:59.375397586Z 37 PC: 9f89a | Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T11:53:59.37636857Z 42 PC: 9f89e | Get date 0x9f89e: cmp cx, 0x7ca
0x9f8a2: ja 0x9f8a9
0x9f8a4: cmp dh, 5
0x9f8a7: jb 0x9f919
0x9f8a9: cmp al, 0
0x9f8ab: jne 0x9f8cb
0x9f8ad: mov word ptr cs:[0x2e], 0x4e20
0x9f8b4: mov ax, 0x3508
0x9f8b7: int 0x21
0x9f8b9: mov word ptr cs:[0x12], bx
0x9f8be: mov word ptr cs:[0x14], es
0x9f8c3: mov ax, 0x2508
0x9f8c6: mov dx, 0x381
0x9f8c9: int 0x21
0x9f8cb: cmp al, 6
0x9f8cd: jne 0x9f8df
0x9f8cf: mov byte ptr cs:[0x2d], 1
0x9f8d5: mov word ptr cs:[0x30], 0x64
0x9f8dc: jmp 0x9f8e5
0x9f8de: nop
2018-12-25T11:53:59.380568146Z 53 PC: 9f907 | Get interrupt vector (Interrupt = '19' AKA 'Delete file')
2018-12-25T11:53:59.381632774Z 37 PC: 9f919 | Set interrupt vector (Interrupt = '19' AKA 'Delete file')
2018-12-25T11:53:59.382724589Z 67 PC: 9f997 | Get or set file attributes
2018-12-25T11:53:59.388114563Z 53 PC: 9f9a3 | Get interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T11:53:59.389151463Z 37 PC: 9f9b7 | Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T11:53:59.390196341Z 67 PC: 9f9c3 | Get or set file attributes
2018-12-25T11:54:00.706541731Z 61 PC: 9f9c8 | Open file (Filename = 'C:\COMMAND.COM')
2018-12-25T11:54:00.712673061Z 87 PC: 9f9d4 | Get or set file date and time
2018-12-25T11:54:00.713954564Z 66 PC: 9f9e9 | Move file pointer
2018-12-25T11:54:00.716823101Z 63 PC: 9fa0b | Read file or device (Read 4 bytes on handle 5)
2018-12-25T11:54:00.720561648Z 66 PC: 9fa23 | Move file pointer
2018-12-25T11:54:00.722114946Z 63 PC: 9fa2d | Read file or device (Read 3 bytes on handle 5)
2018-12-25T11:54:00.725145829Z 66 PC: 9fa36 | Move file pointer
2018-12-25T11:54:00.726717139Z 64 PC: 9fa40 | Write file or device (Write 3 bytes on handle 5)
2018-12-25T11:54:00.729279594Z 66 PC: 9fa49 | Move file pointer
2018-12-25T11:54:00.730854866Z 64 PC: 9fa53 | Write file or device (Write 974 bytes on handle 5)
2018-12-25T11:54:00.740884136Z 87 PC: 9fa62 | Get or set file date and time
2018-12-25T11:54:00.742289199Z 62 PC: 9fa66 | Close file
2018-12-25T11:54:00.749416396Z 67 PC: 9fa70 | Get or set file attributes
2018-12-25T11:54:00.81949674Z 37 PC: 9fa7f | Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T11:54:00.821219587Z 171 PC: 9f926 | UNKNOWN!
2018-12-25T11:54:00.823099435Z 171 PC: 9f933 | UNKNOWN!
2018-12-25T11:54:00.82446788Z 48 PC: 12a63 | Get DOS version
2018-12-25T11:54:00.825742726Z 9 PC: 12a7a | Display string (String= ' --=[ Selfchecking AntiStealth Goat COM/EXE file, 01/06/01 ]=------------------ (c) 1995-2001 by ROSE SWE, Dipl.-Ing. Ralph Roth - Version 1.18 - Freeware ')
2018-12-25T11:54:00.835899819Z 61 PC: 12cb7 | Open file (Filename = '')
2018-12-25T11:54:00.843020508Z 9 PC: 12a88 | Display string (String= 'Self test: ')
2018-12-25T11:54:00.84697684Z 93 PC: 12b24 | File sharing functions
2018-12-25T11:54:00.852971557Z 9 PC: 12b03 | Display string (String= 'Size change=+03CEh/00974d. Virus might be activ? ')
2018-12-25T11:54:00.866330016Z 76 PC: 12b09 | Terminate with return code (Return code = '1')

{"DateBased":true,"Day":4,"Month":5,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":5217,"SideJobID":0}

.

GIF

Syscalls:

Time Syscall Op Syscall Name
2018-12-25T11:53:59.58072221Z 170 PC: 1411c | UNKNOWN!
2018-12-25T11:53:59.58204234Z 53 PC: 9f888 | Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T11:53:59.584075783Z 37 PC: 9f89a | Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T11:53:59.58579016Z 42 PC: 9f89e | Get date 0x9f89e: cmp cx, 0x7ca
0x9f8a2: ja 0x9f8a9
0x9f8a4: cmp dh, 5
0x9f8a7: jb 0x9f919
0x9f8a9: cmp al, 0
0x9f8ab: jne 0x9f8cb
0x9f8ad: mov word ptr cs:[0x2e], 0x4e20
0x9f8b4: mov ax, 0x3508
0x9f8b7: int 0x21
0x9f8b9: mov word ptr cs:[0x12], bx
0x9f8be: mov word ptr cs:[0x14], es
0x9f8c3: mov ax, 0x2508
0x9f8c6: mov dx, 0x381
0x9f8c9: int 0x21
0x9f8cb: cmp al, 6
0x9f8cd: jne 0x9f8df
0x9f8cf: mov byte ptr cs:[0x2d], 1
0x9f8d5: mov word ptr cs:[0x30], 0x64
0x9f8dc: jmp 0x9f8e5
0x9f8de: nop
2018-12-25T11:53:59.588680634Z 53 PC: 9f8b9 | Get interrupt vector (Interrupt = '8' AKA 'Console input without echo')
2018-12-25T11:53:59.60463982Z 37 PC: 9f8cb | Set interrupt vector (Interrupt = '8' AKA 'Console input without echo')
2018-12-25T11:53:59.607457588Z 53 PC: 9f907 | Get interrupt vector (Interrupt = '19' AKA 'Delete file')
2018-12-25T11:53:59.60904613Z 37 PC: 9f919 | Set interrupt vector (Interrupt = '19' AKA 'Delete file')
2018-12-25T11:53:59.611842125Z 67 PC: 9f997 | Get or set file attributes
2018-12-25T11:53:59.618170935Z 53 PC: 9f9a3 | Get interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T11:53:59.619620476Z 37 PC: 9f9b7 | Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T11:53:59.621784118Z 67 PC: 9f9c3 | Get or set file attributes
2018-12-25T11:54:00.459066129Z 61 PC: 9f9c8 | Open file (Filename = 'C:\COMMAND.COM')
2018-12-25T11:54:00.467876861Z 87 PC: 9f9d4 | Get or set file date and time
2018-12-25T11:54:00.471376276Z 66 PC: 9f9e9 | Move file pointer
2018-12-25T11:54:00.47351346Z 63 PC: 9fa0b | Read file or device (Read 4 bytes on handle 5)
2018-12-25T11:54:00.477462253Z 66 PC: 9fa23 | Move file pointer
2018-12-25T11:54:00.48101406Z 63 PC: 9fa2d | Read file or device (Read 3 bytes on handle 5)
2018-12-25T11:54:00.486777763Z 66 PC: 9fa36 | Move file pointer
2018-12-25T11:54:00.488820193Z 64 PC: 9fa40 | Write file or device (Write 3 bytes on handle 5)
2018-12-25T11:54:00.492211742Z 66 PC: 9fa49 | Move file pointer
2018-12-25T11:54:00.495252037Z 64 PC: 9fa53 | Write file or device (Write 974 bytes on handle 5)
2018-12-25T11:54:00.507457396Z 87 PC: 9fa62 | Get or set file date and time
2018-12-25T11:54:00.509028113Z 62 PC: 9fa66 | Close file
2018-12-25T11:54:00.518060606Z 67 PC: 9fa70 | Get or set file attributes
2018-12-25T11:54:00.589610808Z 37 PC: 9fa7f | Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T11:54:00.591311884Z 171 PC: 9f926 | UNKNOWN!
2018-12-25T11:54:00.593801311Z 171 PC: 9f933 | UNKNOWN!
2018-12-25T11:54:00.595623184Z 48 PC: 12a63 | Get DOS version
2018-12-25T11:54:00.59688584Z 9 PC: 12a7a | Display string (String= ' --=[ Selfchecking AntiStealth Goat COM/EXE file, 01/06/01 ]=------------------ (c) 1995-2001 by ROSE SWE, Dipl.-Ing. Ralph Roth - Version 1.18 - Freeware ')
2018-12-25T11:54:00.610235566Z 61 PC: 12cb7 | Open file (Filename = '')
2018-12-25T11:54:00.61582531Z 9 PC: 12a88 | Display string (String= 'Self test: ')
2018-12-25T11:54:00.619766207Z 93 PC: 12b24 | File sharing functions
2018-12-25T11:54:00.6221156Z 9 PC: 12b03 | Display string (String= 'Size change=+03CEh/00974d. Virus might be activ? ')
2018-12-25T11:54:00.627329637Z 76 PC: 12b09 | Terminate with return code (Return code = '1')

{"DateBased":true,"Day":1,"Month":1,"Year":1995,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":5217,"SideJobID":0}

.

GIF

Syscalls:

Time Syscall Op Syscall Name
2018-12-25T11:53:59.571549923Z 170 PC: 1411c | UNKNOWN!
2018-12-25T11:53:59.573611908Z 53 PC: 9f888 | Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T11:53:59.574693007Z 37 PC: 9f89a | Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T11:53:59.575700833Z 42 PC: 9f89e | Get date 0x9f89e: cmp cx, 0x7ca
0x9f8a2: ja 0x9f8a9
0x9f8a4: cmp dh, 5
0x9f8a7: jb 0x9f919
0x9f8a9: cmp al, 0
0x9f8ab: jne 0x9f8cb
0x9f8ad: mov word ptr cs:[0x2e], 0x4e20
0x9f8b4: mov ax, 0x3508
0x9f8b7: int 0x21
0x9f8b9: mov word ptr cs:[0x12], bx
0x9f8be: mov word ptr cs:[0x14], es
0x9f8c3: mov ax, 0x2508
0x9f8c6: mov dx, 0x381
0x9f8c9: int 0x21
0x9f8cb: cmp al, 6
0x9f8cd: jne 0x9f8df
0x9f8cf: mov byte ptr cs:[0x2d], 1
0x9f8d5: mov word ptr cs:[0x30], 0x64
0x9f8dc: jmp 0x9f8e5
0x9f8de: nop
2018-12-25T11:53:59.578783074Z 53 PC: 9f8b9 | Get interrupt vector (Interrupt = '8' AKA 'Console input without echo')
2018-12-25T11:53:59.579893081Z 37 PC: 9f8cb | Set interrupt vector (Interrupt = '8' AKA 'Console input without echo')
2018-12-25T11:53:59.580925769Z 53 PC: 9f907 | Get interrupt vector (Interrupt = '19' AKA 'Delete file')
2018-12-25T11:53:59.582463728Z 37 PC: 9f919 | Set interrupt vector (Interrupt = '19' AKA 'Delete file')
2018-12-25T11:53:59.583623821Z 67 PC: 9f997 | Get or set file attributes
2018-12-25T11:53:59.588857266Z 53 PC: 9f9a3 | Get interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T11:53:59.590570764Z 37 PC: 9f9b7 | Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T11:53:59.5917604Z 67 PC: 9f9c3 | Get or set file attributes
2018-12-25T11:54:00.70606228Z 61 PC: 9f9c8 | Open file (Filename = 'C:\COMMAND.COM')
2018-12-25T11:54:00.726462553Z 87 PC: 9f9d4 | Get or set file date and time
2018-12-25T11:54:00.729192395Z 66 PC: 9f9e9 | Move file pointer
2018-12-25T11:54:00.731745149Z 63 PC: 9fa0b | Read file or device (Read 4 bytes on handle 5)
2018-12-25T11:54:00.736009966Z 66 PC: 9fa23 | Move file pointer
2018-12-25T11:54:00.739004897Z 63 PC: 9fa2d | Read file or device (Read 3 bytes on handle 5)
2018-12-25T11:54:00.741891622Z 66 PC: 9fa36 | Move file pointer
2018-12-25T11:54:00.744895786Z 64 PC: 9fa40 | Write file or device (Write 3 bytes on handle 5)
2018-12-25T11:54:00.748408217Z 66 PC: 9fa49 | Move file pointer
2018-12-25T11:54:00.753082787Z 64 PC: 9fa53 | Write file or device (Write 974 bytes on handle 5)
2018-12-25T11:54:00.759698218Z 87 PC: 9fa62 | Get or set file date and time
2018-12-25T11:54:00.761501141Z 62 PC: 9fa66 | Close file
2018-12-25T11:54:00.769128287Z 67 PC: 9fa70 | Get or set file attributes
2018-12-25T11:54:00.835758422Z 37 PC: 9fa7f | Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T11:54:00.838007885Z 171 PC: 9f926 | UNKNOWN!
2018-12-25T11:54:00.839133399Z 171 PC: 9f933 | UNKNOWN!
2018-12-25T11:54:00.840555865Z 48 PC: 12a63 | Get DOS version
2018-12-25T11:54:00.843035034Z 9 PC: 12a7a | Display string (String= ' --=[ Selfchecking AntiStealth Goat COM/EXE file, 01/06/01 ]=------------------ (c) 1995-2001 by ROSE SWE, Dipl.-Ing. Ralph Roth - Version 1.18 - Freeware ')
2018-12-25T11:54:00.848291476Z 61 PC: 12cb7 | Open file (Filename = '')
2018-12-25T11:54:00.852498399Z 9 PC: 12a88 | Display string (String= 'Self test: ')
2018-12-25T11:54:00.856106505Z 93 PC: 12b24 | File sharing functions
2018-12-25T11:54:00.857973469Z 9 PC: 12b03 | Display string (String= 'Size change=+03CEh/00974d. Virus might be activ? ')
2018-12-25T11:54:00.869196478Z 76 PC: 12b09 | Terminate with return code (Return code = '1')

{"DateBased":true,"Day":2,"Month":1,"Year":1995,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":5217,"SideJobID":0}

.

GIF

Syscalls:

Time Syscall Op Syscall Name
2018-12-25T11:53:59.699166376Z 170 PC: 1411c | UNKNOWN!
2018-12-25T11:53:59.70062363Z 53 PC: 9f888 | Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T11:53:59.703451858Z 37 PC: 9f89a | Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T11:53:59.705158815Z 42 PC: 9f89e | Get date 0x9f89e: cmp cx, 0x7ca
0x9f8a2: ja 0x9f8a9
0x9f8a4: cmp dh, 5
0x9f8a7: jb 0x9f919
0x9f8a9: cmp al, 0
0x9f8ab: jne 0x9f8cb
0x9f8ad: mov word ptr cs:[0x2e], 0x4e20
0x9f8b4: mov ax, 0x3508
0x9f8b7: int 0x21
0x9f8b9: mov word ptr cs:[0x12], bx
0x9f8be: mov word ptr cs:[0x14], es
0x9f8c3: mov ax, 0x2508
0x9f8c6: mov dx, 0x381
0x9f8c9: int 0x21
0x9f8cb: cmp al, 6
0x9f8cd: jne 0x9f8df
0x9f8cf: mov byte ptr cs:[0x2d], 1
0x9f8d5: mov word ptr cs:[0x30], 0x64
0x9f8dc: jmp 0x9f8e5
0x9f8de: nop
2018-12-25T11:53:59.708012136Z 53 PC: 9f907 | Get interrupt vector (Interrupt = '19' AKA 'Delete file')
2018-12-25T11:53:59.710978082Z 37 PC: 9f919 | Set interrupt vector (Interrupt = '19' AKA 'Delete file')
2018-12-25T11:53:59.712805375Z 67 PC: 9f997 | Get or set file attributes
2018-12-25T11:53:59.718984139Z 53 PC: 9f9a3 | Get interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T11:53:59.721440196Z 37 PC: 9f9b7 | Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T11:53:59.723148626Z 67 PC: 9f9c3 | Get or set file attributes
2018-12-25T11:54:00.459794723Z 61 PC: 9f9c8 | Open file (Filename = 'C:\COMMAND.COM')
2018-12-25T11:54:00.468405878Z 87 PC: 9f9d4 | Get or set file date and time
2018-12-25T11:54:00.470792092Z 66 PC: 9f9e9 | Move file pointer
2018-12-25T11:54:00.472888271Z 63 PC: 9fa0b | Read file or device (Read 4 bytes on handle 5)
2018-12-25T11:54:00.488987083Z 66 PC: 9fa23 | Move file pointer
2018-12-25T11:54:00.493112975Z 63 PC: 9fa2d | Read file or device (Read 3 bytes on handle 5)
2018-12-25T11:54:00.496579095Z 66 PC: 9fa36 | Move file pointer
2018-12-25T11:54:00.498580426Z 64 PC: 9fa40 | Write file or device (Write 3 bytes on handle 5)
2018-12-25T11:54:00.503648649Z 66 PC: 9fa49 | Move file pointer
2018-12-25T11:54:00.505442147Z 64 PC: 9fa53 | Write file or device (Write 974 bytes on handle 5)
2018-12-25T11:54:00.516475813Z 87 PC: 9fa62 | Get or set file date and time
2018-12-25T11:54:00.519804254Z 62 PC: 9fa66 | Close file
2018-12-25T11:54:00.52829895Z 67 PC: 9fa70 | Get or set file attributes
2018-12-25T11:54:00.606934792Z 37 PC: 9fa7f | Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T11:54:00.609832049Z 171 PC: 9f926 | UNKNOWN!
2018-12-25T11:54:00.611553684Z 171 PC: 9f933 | UNKNOWN!
2018-12-25T11:54:00.613883832Z 48 PC: 12a63 | Get DOS version
2018-12-25T11:54:00.615827772Z 9 PC: 12a7a | Display string (String= ' --=[ Selfchecking AntiStealth Goat COM/EXE file, 01/06/01 ]=------------------ (c) 1995-2001 by ROSE SWE, Dipl.-Ing. Ralph Roth - Version 1.18 - Freeware ')
2018-12-25T11:54:00.627636787Z 61 PC: 12cb7 | Open file (Filename = '')
2018-12-25T11:54:00.635396075Z 9 PC: 12a88 | Display string (String= 'Self test: ')
2018-12-25T11:54:00.639756975Z 93 PC: 12b24 | File sharing functions
2018-12-25T11:54:00.642909753Z 9 PC: 12b03 | Display string (String= 'Size change=+03CEh/00974d. Virus might be activ? ')
2018-12-25T11:54:00.646073918Z 76 PC: 12b09 | Terminate with return code (Return code = '1')

{"DateBased":true,"Day":7,"Month":1,"Year":1995,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":5217,"SideJobID":0}

.

GIF

Syscalls:

Time Syscall Op Syscall Name
2018-12-25T11:53:59.936617415Z 170 PC: 1411c | UNKNOWN!
2018-12-25T11:53:59.937942581Z 53 PC: 9f888 | Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T11:53:59.939066131Z 37 PC: 9f89a | Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T11:53:59.940100326Z 42 PC: 9f89e | Get date 0x9f89e: cmp cx, 0x7ca
0x9f8a2: ja 0x9f8a9
0x9f8a4: cmp dh, 5
0x9f8a7: jb 0x9f919
0x9f8a9: cmp al, 0
0x9f8ab: jne 0x9f8cb
0x9f8ad: mov word ptr cs:[0x2e], 0x4e20
0x9f8b4: mov ax, 0x3508
0x9f8b7: int 0x21
0x9f8b9: mov word ptr cs:[0x12], bx
0x9f8be: mov word ptr cs:[0x14], es
0x9f8c3: mov ax, 0x2508
0x9f8c6: mov dx, 0x381
0x9f8c9: int 0x21
0x9f8cb: cmp al, 6
0x9f8cd: jne 0x9f8df
0x9f8cf: mov byte ptr cs:[0x2d], 1
0x9f8d5: mov word ptr cs:[0x30], 0x64
0x9f8dc: jmp 0x9f8e5
0x9f8de: nop
2018-12-25T11:53:59.942680634Z 53 PC: 9f907 | Get interrupt vector (Interrupt = '19' AKA 'Delete file')
2018-12-25T11:53:59.943794788Z 37 PC: 9f919 | Set interrupt vector (Interrupt = '19' AKA 'Delete file')
2018-12-25T11:53:59.944964587Z 67 PC: 9f997 | Get or set file attributes
2018-12-25T11:53:59.950377514Z 53 PC: 9f9a3 | Get interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T11:53:59.951869252Z 37 PC: 9f9b7 | Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T11:53:59.952877348Z 67 PC: 9f9c3 | Get or set file attributes
2018-12-25T11:54:00.702990932Z 61 PC: 9f9c8 | Open file (Filename = 'C:\COMMAND.COM')
2018-12-25T11:54:00.710789254Z 87 PC: 9f9d4 | Get or set file date and time
2018-12-25T11:54:00.712691324Z 66 PC: 9f9e9 | Move file pointer
2018-12-25T11:54:00.714679246Z 63 PC: 9fa0b | Read file or device (Read 4 bytes on handle 5)
2018-12-25T11:54:00.719739774Z 66 PC: 9fa23 | Move file pointer
2018-12-25T11:54:00.721629948Z 63 PC: 9fa2d | Read file or device (Read 3 bytes on handle 5)
2018-12-25T11:54:00.724854577Z 66 PC: 9fa36 | Move file pointer
2018-12-25T11:54:00.727738826Z 64 PC: 9fa40 | Write file or device (Write 3 bytes on handle 5)
2018-12-25T11:54:00.73069097Z 66 PC: 9fa49 | Move file pointer
2018-12-25T11:54:00.732320443Z 64 PC: 9fa53 | Write file or device (Write 974 bytes on handle 5)
2018-12-25T11:54:00.74320494Z 87 PC: 9fa62 | Get or set file date and time
2018-12-25T11:54:00.75117455Z 62 PC: 9fa66 | Close file
2018-12-25T11:54:00.758476947Z 67 PC: 9fa70 | Get or set file attributes
2018-12-25T11:54:00.834929569Z 37 PC: 9fa7f | Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T11:54:00.836357011Z 171 PC: 9f926 | UNKNOWN!
2018-12-25T11:54:00.837349704Z 171 PC: 9f933 | UNKNOWN!
2018-12-25T11:54:00.839832946Z 48 PC: 12a63 | Get DOS version
2018-12-25T11:54:00.841225499Z 9 PC: 12a7a | Display string (String= ' --=[ Selfchecking AntiStealth Goat COM/EXE file, 01/06/01 ]=------------------ (c) 1995-2001 by ROSE SWE, Dipl.-Ing. Ralph Roth - Version 1.18 - Freeware ')
2018-12-25T11:54:00.850596666Z 61 PC: 12cb7 | Open file (Filename = '')
2018-12-25T11:54:00.857592639Z 9 PC: 12a88 | Display string (String= 'Self test: ')
2018-12-25T11:54:00.861457375Z 93 PC: 12b24 | File sharing functions
2018-12-25T11:54:00.862949937Z 9 PC: 12b03 | Display string (String= 'Size change=+03CEh/00974d. Virus might be activ? ')
2018-12-25T11:54:00.867988304Z 76 PC: 12b09 | Terminate with return code (Return code = '1')