Sample viewer

vx.netlux.org/Virus.DOS.Trivial.Elben.354

.

GIF

Syscalls:

Time Syscall Op Syscall Name
2018-12-17T22:35:44.435910611Z 78 PC: 12a9c | Find first file
2018-12-17T22:35:44.443265044Z 44 PC: 12b1d | Get time 0x12b1d: cmp dx, 0
0x12b20: je 0x12b19
0x12b22: mov word ptr [0x1ef], dx
0x12b26: ret
0x12b27: sub ch, byte ptr [0x4f43]
0x12b2b: dec bp
0x12b2c: add byte ptr [bx + si], al
0x12b2e: add byte ptr [bx + si], al
0x12b30: add byte ptr [bx + si], al
0x12b32: add al, ch
0x12b34: inc bx
0x12b35: add byte ptr [bp + di - 0x12c2], al
0x12b39: add word ptr [bx + si], ax
0x12b3b: je 0x12b4b
0x12b3d: lodsw ax, word ptr [si]
0x12b3e: ror ax, cl
0x12b40: xor ax, cx
0x12b42: add ax, cx
0x12b44: stosw word ptr es:[di], ax
0x12b45: dec word ptr [0x1ed]
2018-12-17T22:35:44.451214793Z 61 PC: 12a68 | Open file (Filename = 'SLEEP.COM')
2018-12-17T22:35:44.458572723Z 64 PC: 12a77 | Write file or device (Write 354 bytes on handle 5)
2018-12-17T22:35:44.466081916Z 62 PC: 12a7b | Close file
2018-12-17T22:35:44.482039834Z 79 PC: 12aaa | Find next file
2018-12-17T22:35:44.485590363Z 44 PC: 12b1d | Get time 0x12b1d: cmp dx, 0
0x12b20: je 0x12b19
0x12b22: mov word ptr [0x1ef], dx
0x12b26: ret
0x12b27: sub word ptr [di], bp
0x12b29: inc dx
0x12b2a: dec si
0x12b2b: dec sp
0x12b2c: add byte ptr [bx + si], al
0x12b2e: add byte ptr [bx + di + 8], al
0x12b31: add byte ptr [bx + si], al
0x12b33: call 0x12b79
0x12b36: cmp word ptr [0x1ed], 0
0x12b3b: je 0x12b4b
0x12b3d: lodsw ax, word ptr [si]
0x12b3e: ror ax, cl
0x12b40: xor ax, cx
0x12b42: add ax, cx
0x12b44: stosw word ptr es:[di], ax
0x12b45: dec word ptr [0x1ed]
2018-12-17T22:35:44.489151983Z 61 PC: 12a68 | Open file (Filename = 'PRINT.COM')
2018-12-17T22:35:44.497530747Z 64 PC: 12a77 | Write file or device (Write 354 bytes on handle 5)
2018-12-17T22:35:44.505198377Z 62 PC: 12a7b | Close file
2018-12-17T22:35:44.514188367Z 79 PC: 12aaa | Find next file
2018-12-17T22:35:44.518819322Z 44 PC: 12b1d | Get time 0x12b1d: cmp dx, 0
0x12b20: je 0x12b19
0x12b22: mov word ptr [0x1ef], dx
0x12b26: ret
0x12b27: sub byte ptr [si], ch
0x12b29: inc cx
0x12b2a: dec bp
0x12b2b: dec bx
0x12b2c: add byte ptr [bx + si], al
0x12b2e: add byte ptr [bp + 8], al
0x12b31: add byte ptr [bx + si], al
0x12b33: call 0x12b79
0x12b36: cmp word ptr [0x1ed], 0
0x12b3b: je 0x12b4b
0x12b3d: lodsw ax, word ptr [si]
0x12b3e: ror ax, cl
0x12b40: xor ax, cx
0x12b42: add ax, cx
0x12b44: stosw word ptr es:[di], ax
0x12b45: dec word ptr [0x1ed]
2018-12-17T22:35:44.52194274Z 61 PC: 12a68 | Open file (Filename = 'HELLO.COM')
2018-12-17T22:35:44.529472632Z 64 PC: 12a77 | Write file or device (Write 354 bytes on handle 5)
2018-12-17T22:35:44.537724117Z 62 PC: 12a7b | Close file
2018-12-17T22:35:44.546598551Z 79 PC: 12aaa | Find next file
2018-12-17T22:35:44.549880997Z 44 PC: 12b1d | Get time 0x12b1d: cmp dx, 0
0x12b20: je 0x12b19
0x12b22: mov word ptr [0x1ef], dx
0x12b26: ret
0x12b27: daa
0x12b28: sub ax, word ptr [bx + si + 0x4c]
0x12b2b: dec dx
0x12b2c: add byte ptr [bx + si], al
0x12b2e: add byte ptr [bp + 8], al
0x12b31: add byte ptr [bx + si], al
0x12b33: call 0x12b79
0x12b36: cmp word ptr [0x1ed], 0
0x12b3b: je 0x12b4b
0x12b3d: lodsw ax, word ptr [si]
0x12b3e: ror ax, cl
0x12b40: xor ax, cx
0x12b42: add ax, cx
0x12b44: stosw word ptr es:[di], ax
0x12b45: dec word ptr [0x1ed]
0x12b49: jmp 0x12b36
2018-12-17T22:35:44.55330065Z 61 PC: 12a68 | Open file (Filename = 'PHANG.COM')
2018-12-17T22:35:44.562041604Z 64 PC: 12a77 | Write file or device (Write 354 bytes on handle 5)
2018-12-17T22:35:44.569928265Z 62 PC: 12a7b | Close file
2018-12-17T22:35:44.582944616Z 79 PC: 12aaa | Find next file
2018-12-17T22:35:44.587592573Z 44 PC: 12b1d | Get time 0x12b1d: cmp dx, 0
0x12b20: je 0x12b19
0x12b22: mov word ptr [0x1ef], dx
0x12b26: ret
0x12b27: sub bh, byte ptr es:[bx]
0x12b2a: dec bx
0x12b2b: dec cx
0x12b2c: add byte ptr [bx + si], al
0x12b2e: add byte ptr [bp + 8], al
0x12b31: add byte ptr [bx + si], al
0x12b33: call 0x12b79
0x12b36: cmp word ptr [0x1ed], 0
0x12b3b: je 0x12b4b
0x12b3d: lodsw ax, word ptr [si]
0x12b3e: ror ax, cl
0x12b40: xor ax, cx
0x12b42: add ax, cx
0x12b44: stosw word ptr es:[di], ax
0x12b45: dec word ptr [0x1ed]
0x12b49: jmp 0x12b36
2018-12-17T22:35:44.590473617Z 61 PC: 12a68 | Open file (Filename = 'PRINTA~1.COM')
2018-12-17T22:35:44.597755223Z 64 PC: 12a77 | Write file or device (Write 354 bytes on handle 5)
2018-12-17T22:35:44.606056441Z 62 PC: 12a7b | Close file
2018-12-17T22:35:44.618009389Z 79 PC: 12aaa | Find next file
2018-12-17T22:35:44.622041901Z 44 PC: 12b1d | Get time 0x12b1d: cmp dx, 0
0x12b20: je 0x12b19
0x12b22: mov word ptr [0x1ef], dx
0x12b26: ret
0x12b27: and ax, 0x3e29
0x12b2a: dec dx
0x12b2b: dec ax
0x12b2c: add byte ptr [bx + si], al
0x12b2e: add byte ptr [si + 8], cl
0x12b31: add byte ptr [bx + si], al
0x12b33: call 0x12b79
0x12b36: cmp word ptr [0x1ed], 0
0x12b3b: je 0x12b4b
0x12b3d: lodsw ax, word ptr [si]
0x12b3e: ror ax, cl
0x12b40: xor ax, cx
0x12b42: add ax, cx
0x12b44: stosw word ptr es:[di], ax
0x12b45: dec word ptr [0x1ed]
0x12b49: jmp 0x12b36
2018-12-17T22:35:44.625928891Z 61 PC: 12a68 | Open file (Filename = 'MANDEL.COM')
2018-12-17T22:35:44.633479893Z 64 PC: 12a77 | Write file or device (Write 354 bytes on handle 5)
2018-12-17T22:35:44.640822003Z 62 PC: 12a7b | Close file
2018-12-17T22:35:44.651145293Z 79 PC: 12aaa | Find next file
2018-12-17T22:35:44.654344483Z 44 PC: 12b1d | Get time 0x12b1d: cmp dx, 0
0x12b20: je 0x12b19
0x12b22: mov word ptr [0x1ef], dx
0x12b26: ret
0x12b27: and al, 0x28
0x12b29: cmp ax, 0x4749
0x12b2c: add byte ptr [bx + si], al
0x12b2e: add byte ptr [bx + di + 8], dl
0x12b31: add byte ptr [bx + si], al
0x12b33: call 0x12b79
0x12b36: cmp word ptr [0x1ed], 0
0x12b3b: je 0x12b4b
0x12b3d: lodsw ax, word ptr [si]
0x12b3e: ror ax, cl
0x12b40: xor ax, cx
0x12b42: add ax, cx
0x12b44: stosw word ptr es:[di], ax
0x12b45: dec word ptr [0x1ed]
0x12b49: jmp 0x12b36
0x12b4b: ret
2018-12-17T22:35:44.657217682Z 61 PC: 12a68 | Open file (Filename = 'PAH.COM')
2018-12-17T22:35:44.665378347Z 64 PC: 12a77 | Write file or device (Write 354 bytes on handle 5)
2018-12-17T22:35:44.672960467Z 62 PC: 12a7b | Close file
2018-12-17T22:35:44.68141901Z 79 PC: 12aaa | Find next file
2018-12-17T22:35:44.685396179Z 44 PC: 12b1d | Get time 0x12b1d: cmp dx, 0
0x12b20: je 0x12b19
0x12b22: mov word ptr [0x1ef], dx
0x12b26: ret
0x12b27: and sp, word ptr [bx]
0x12b29: cmp al, 0x48
0x12b2b: inc si
0x12b2c: add byte ptr [bx + si], al
0x12b2e: add byte ptr [bx + di + 8], dl
0x12b31: add byte ptr [bx + si], al
0x12b33: call 0x12b79
0x12b36: cmp word ptr [0x1ed], 0
0x12b3b: je 0x12b4b
0x12b3d: lodsw ax, word ptr [si]
0x12b3e: ror ax, cl
0x12b40: xor ax, cx
0x12b42: add ax, cx
0x12b44: stosw word ptr es:[di], ax
0x12b45: dec word ptr [0x1ed]
0x12b49: jmp 0x12b36
2018-12-17T22:35:44.688387229Z 61 PC: 12a68 | Open file (Filename = 'TEST.COM')
2018-12-17T22:35:44.696548144Z 64 PC: 12a77 | Write file or device (Write 354 bytes on handle 5)
2018-12-17T22:35:44.699898097Z 62 PC: 12a7b | Close file
2018-12-17T22:35:44.709525062Z 79 PC: 12aaa | Find next file
2018-12-17T22:35:44.712300497Z 42 PC: 12ab4 | Get date 0x12ab4: cmp dh, 8
0x12ab7: jne 0x12ac5
0x12ab9: cmp dl, 0x1f
0x12abc: jne 0x12ac5
0x12abe: mov ah, 9
0x12ac0: mov dx, 0x187
0x12ac3: int 0x21
0x12ac5: int 0x20
0x12ac7: or ax, 0x460a
0x12aca: sub ax, 0x5250
0x12acd: dec di
0x12ace: push sp
0x12acf: and byte ptr [bp + di + 0x55], dl
0x12ad2: pop ax
0x12ad3: pop ax
0x12ad4: pop ax
0x12ad5: pop ax
0x12ad6: and word ptr [di], cx
0x12ad8: or dl, byte ptr [si + 0x42]
0x12adb: inc cx

{"DateBased":true,"Day":1,"Month":1,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":true,"OriginalID":6456,"SideJobID":0}

.

GIF

Syscalls:

Time Syscall Op Syscall Name
2018-12-25T11:59:28.411557795Z 78 PC: 12a9c | Find first file
2018-12-25T11:59:28.418566264Z 44 PC: 12b1d | Get time 0x12b1d: cmp dx, 0
0x12b20: je 0x12b19
0x12b22: mov word ptr [0x1ef], dx
0x12b26: ret
0x12b27: sub ch, byte ptr [0x4f43]
0x12b2b: dec bp
0x12b2c: add byte ptr [bx + si], al
0x12b2e: add byte ptr [bx + si], al
0x12b30: add byte ptr [bx + si], al
0x12b32: add al, ch
0x12b34: inc bx
0x12b35: add byte ptr [bp + di - 0x12c2], al
0x12b39: add word ptr [bx + si], ax
0x12b3b: je 0x12b4b
0x12b3d: lodsw ax, word ptr [si]
0x12b3e: ror ax, cl
0x12b40: xor ax, cx
0x12b42: add ax, cx
0x12b44: stosw word ptr es:[di], ax
0x12b45: dec word ptr [0x1ed]
2018-12-25T11:59:28.420788765Z 61 PC: 12a68 | Open file (Filename = 'SLEEP.COM')
2018-12-25T11:59:28.427590952Z 64 PC: 12a77 | Write file or device (Write 354 bytes on handle 5)
2018-12-25T11:59:28.434799239Z 62 PC: 12a7b | Close file
2018-12-25T11:59:28.452350126Z 79 PC: 12aaa | Find next file
2018-12-25T11:59:28.454930825Z 44 PC: 12b1d | Get time (See above)
2018-12-25T11:59:28.457800744Z 61 PC: 12a68 | Open file (See above)
2018-12-25T11:59:28.46428677Z 64 PC: 12a77 | Write file or device (See above)
2018-12-25T11:59:28.470701065Z 62 PC: 12a7b | Close file (See above)
2018-12-25T11:59:28.478281362Z 79 PC: 12aaa | Find next file (See above)
2018-12-25T11:59:28.481483971Z 44 PC: 12b1d | Get time (See above)
2018-12-25T11:59:28.483682803Z 61 PC: 12a68 | Open file (See above)
2018-12-25T11:59:28.489999501Z 64 PC: 12a77 | Write file or device (See above)
2018-12-25T11:59:28.502011054Z 62 PC: 12a7b | Close file (See above)
2018-12-25T11:59:28.509700295Z 79 PC: 12aaa | Find next file (See above)
2018-12-25T11:59:28.512565885Z 44 PC: 12b1d | Get time (See above)
2018-12-25T11:59:28.515335996Z 61 PC: 12a68 | Open file (See above)
2018-12-25T11:59:28.522389007Z 64 PC: 12a77 | Write file or device (See above)
2018-12-25T11:59:28.528961252Z 62 PC: 12a7b | Close file (See above)
2018-12-25T11:59:28.537254221Z 79 PC: 12aaa | Find next file (See above)
2018-12-25T11:59:28.540083046Z 44 PC: 12b1d | Get time (See above)
2018-12-25T11:59:28.542601553Z 61 PC: 12a68 | Open file (See above)
2018-12-25T11:59:28.549296392Z 64 PC: 12a77 | Write file or device (See above)
2018-12-25T11:59:28.556388883Z 62 PC: 12a7b | Close file (See above)
2018-12-25T11:59:28.564173116Z 79 PC: 12aaa | Find next file (See above)
2018-12-25T11:59:28.567672283Z 44 PC: 12b1d | Get time (See above)
2018-12-25T11:59:28.569986634Z 61 PC: 12a68 | Open file (See above)
2018-12-25T11:59:28.576420408Z 64 PC: 12a77 | Write file or device (See above)
2018-12-25T11:59:28.584381456Z 62 PC: 12a7b | Close file (See above)
2018-12-25T11:59:28.595183847Z 79 PC: 12aaa | Find next file (See above)
2018-12-25T11:59:28.59696948Z 44 PC: 12b1d | Get time (See above)
2018-12-25T11:59:28.598743782Z 61 PC: 12a68 | Open file (See above)
2018-12-25T11:59:28.603231623Z 64 PC: 12a77 | Write file or device (See above)
2018-12-25T11:59:28.607333278Z 62 PC: 12a7b | Close file (See above)
2018-12-25T11:59:28.612417286Z 79 PC: 12aaa | Find next file (See above)
2018-12-25T11:59:28.615174425Z 44 PC: 12b1d | Get time (See above)
2018-12-25T11:59:28.617320712Z 61 PC: 12a68 | Open file (See above)
2018-12-25T11:59:28.62369083Z 64 PC: 12a77 | Write file or device (See above)
2018-12-25T11:59:28.626583647Z 62 PC: 12a7b | Close file (See above)
2018-12-25T11:59:28.636021226Z 79 PC: 12aaa | Find next file (See above)
2018-12-25T11:59:28.638385532Z 42 PC: 12ab4 | Get date 0x12ab4: cmp dh, 8
0x12ab7: jne 0x12ac5
0x12ab9: cmp dl, 0x1f
0x12abc: jne 0x12ac5
0x12abe: mov ah, 9
0x12ac0: mov dx, 0x187
0x12ac3: int 0x21
0x12ac5: int 0x20
0x12ac7: or ax, 0x460a
0x12aca: sub ax, 0x5250
0x12acd: dec di
0x12ace: push sp
0x12acf: and byte ptr [bp + di + 0x55], dl
0x12ad2: pop ax
0x12ad3: pop ax
0x12ad4: pop ax
0x12ad5: pop ax
0x12ad6: and word ptr [di], cx
0x12ad8: or dl, byte ptr [si + 0x42]
0x12adb: inc cx

{"DateBased":true,"Day":1,"Month":1,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":true,"OriginalID":6456,"SideJobID":0}

.

GIF

Syscalls:

Time Syscall Op Syscall Name
2018-12-25T11:59:28.67722904Z 78 PC: 12a9c | Find first file
2018-12-25T11:59:28.69860252Z 44 PC: 12b1d | Get time 0x12b1d: cmp dx, 0
0x12b20: je 0x12b19
0x12b22: mov word ptr [0x1ef], dx
0x12b26: ret
0x12b27: sub ch, byte ptr [0x4f43]
0x12b2b: dec bp
0x12b2c: add byte ptr [bx + si], al
0x12b2e: add byte ptr [bx + si], al
0x12b30: add byte ptr [bx + si], al
0x12b32: add al, ch
0x12b34: inc bx
0x12b35: add byte ptr [bp + di - 0x12c2], al
0x12b39: add word ptr [bx + si], ax
0x12b3b: je 0x12b4b
0x12b3d: lodsw ax, word ptr [si]
0x12b3e: ror ax, cl
0x12b40: xor ax, cx
0x12b42: add ax, cx
0x12b44: stosw word ptr es:[di], ax
0x12b45: dec word ptr [0x1ed]
2018-12-25T11:59:28.701147164Z 61 PC: 12a68 | Open file (Filename = 'SLEEP.COM')
2018-12-25T11:59:28.707487111Z 64 PC: 12a77 | Write file or device (Write 354 bytes on handle 5)
2018-12-25T11:59:28.71536Z 62 PC: 12a7b | Close file
2018-12-25T11:59:28.729272201Z 79 PC: 12aaa | Find next file
2018-12-25T11:59:28.732122328Z 44 PC: 12b1d | Get time (See above)
2018-12-25T11:59:28.735735151Z 61 PC: 12a68 | Open file (See above)
2018-12-25T11:59:28.742956162Z 64 PC: 12a77 | Write file or device (See above)
2018-12-25T11:59:28.749667347Z 62 PC: 12a7b | Close file (See above)
2018-12-25T11:59:28.758137298Z 79 PC: 12aaa | Find next file (See above)
2018-12-25T11:59:28.763454995Z 44 PC: 12b1d | Get time (See above)
2018-12-25T11:59:28.765676137Z 61 PC: 12a68 | Open file (See above)
2018-12-25T11:59:28.771956783Z 64 PC: 12a77 | Write file or device (See above)
2018-12-25T11:59:28.77886826Z 62 PC: 12a7b | Close file (See above)
2018-12-25T11:59:28.786359083Z 79 PC: 12aaa | Find next file (See above)
2018-12-25T11:59:28.788889811Z 44 PC: 12b1d | Get time (See above)
2018-12-25T11:59:28.79142901Z 61 PC: 12a68 | Open file (See above)
2018-12-25T11:59:28.797665205Z 64 PC: 12a77 | Write file or device (See above)
2018-12-25T11:59:28.804262126Z 62 PC: 12a7b | Close file (See above)
2018-12-25T11:59:28.812583057Z 79 PC: 12aaa | Find next file (See above)
2018-12-25T11:59:28.815198433Z 44 PC: 12b1d | Get time (See above)
2018-12-25T11:59:28.817396165Z 61 PC: 12a68 | Open file (See above)
2018-12-25T11:59:28.824215503Z 64 PC: 12a77 | Write file or device (See above)
2018-12-25T11:59:28.83057795Z 62 PC: 12a7b | Close file (See above)
2018-12-25T11:59:28.83869091Z 79 PC: 12aaa | Find next file (See above)
2018-12-25T11:59:28.842145535Z 44 PC: 12b1d | Get time (See above)
2018-12-25T11:59:28.843761523Z 61 PC: 12a68 | Open file (See above)
2018-12-25T11:59:28.847710956Z 64 PC: 12a77 | Write file or device (See above)
2018-12-25T11:59:28.852327474Z 62 PC: 12a7b | Close file (See above)
2018-12-25T11:59:28.85989675Z 79 PC: 12aaa | Find next file (See above)
2018-12-25T11:59:28.862217424Z 44 PC: 12b1d | Get time (See above)
2018-12-25T11:59:28.866740156Z 61 PC: 12a68 | Open file (See above)
2018-12-25T11:59:28.873494322Z 64 PC: 12a77 | Write file or device (See above)
2018-12-25T11:59:28.879694642Z 62 PC: 12a7b | Close file (See above)
2018-12-25T11:59:28.888155859Z 79 PC: 12aaa | Find next file (See above)
2018-12-25T11:59:28.890597747Z 44 PC: 12b1d | Get time (See above)
2018-12-25T11:59:28.892711583Z 61 PC: 12a68 | Open file (See above)
2018-12-25T11:59:28.899339295Z 64 PC: 12a77 | Write file or device (See above)
2018-12-25T11:59:28.901953323Z 62 PC: 12a7b | Close file (See above)
2018-12-25T11:59:28.90939356Z 79 PC: 12aaa | Find next file (See above)
2018-12-25T11:59:28.912061311Z 42 PC: 12ab4 | Get date 0x12ab4: cmp dh, 8
0x12ab7: jne 0x12ac5
0x12ab9: cmp dl, 0x1f
0x12abc: jne 0x12ac5
0x12abe: mov ah, 9
0x12ac0: mov dx, 0x187
0x12ac3: int 0x21
0x12ac5: int 0x20
0x12ac7: or ax, 0x460a
0x12aca: sub ax, 0x5250
0x12acd: dec di
0x12ace: push sp
0x12acf: and byte ptr [bp + di + 0x55], dl
0x12ad2: pop ax
0x12ad3: pop ax
0x12ad4: pop ax
0x12ad5: pop ax
0x12ad6: and word ptr [di], cx
0x12ad8: or dl, byte ptr [si + 0x42]
0x12adb: inc cx

{"DateBased":true,"Day":1,"Month":1,"Year":1980,"Hour":0,"Min":0,"Second":1,"TimeBased":true,"OriginalID":6456,"SideJobID":0}

.

GIF

Syscalls:

Time Syscall Op Syscall Name
2018-12-25T11:59:29.656058198Z 78 PC: 12a9c | Find first file
2018-12-25T11:59:29.662252314Z 44 PC: 12b1d | Get time 0x12b1d: cmp dx, 0
0x12b20: je 0x12b19
0x12b22: mov word ptr [0x1ef], dx
0x12b26: ret
0x12b27: sub ch, byte ptr [0x4f43]
0x12b2b: dec bp
0x12b2c: add byte ptr [bx + si], al
0x12b2e: add byte ptr [bx + si], al
0x12b30: add byte ptr [bx + si], al
0x12b32: add al, ch
0x12b34: inc bx
0x12b35: add byte ptr [bp + di - 0x12c2], al
0x12b39: add word ptr [bx + si], ax
0x12b3b: je 0x12b4b
0x12b3d: lodsw ax, word ptr [si]
0x12b3e: ror ax, cl
0x12b40: xor ax, cx
0x12b42: add ax, cx
0x12b44: stosw word ptr es:[di], ax
0x12b45: dec word ptr [0x1ed]
2018-12-25T11:59:29.664646038Z 61 PC: 12a68 | Open file (Filename = 'SLEEP.COM')
2018-12-25T11:59:29.670819502Z 64 PC: 12a77 | Write file or device (Write 354 bytes on handle 5)
2018-12-25T11:59:29.6774712Z 62 PC: 12a7b | Close file
2018-12-25T11:59:29.692154831Z 79 PC: 12aaa | Find next file
2018-12-25T11:59:29.694644191Z 44 PC: 12b1d | Get time (See above)
2018-12-25T11:59:29.697271054Z 61 PC: 12a68 | Open file (See above)
2018-12-25T11:59:29.703525977Z 64 PC: 12a77 | Write file or device (See above)
2018-12-25T11:59:29.70990118Z 62 PC: 12a7b | Close file (See above)
2018-12-25T11:59:29.717952744Z 79 PC: 12aaa | Find next file (See above)
2018-12-25T11:59:29.720470193Z 44 PC: 12b1d | Get time (See above)
2018-12-25T11:59:29.722640673Z 61 PC: 12a68 | Open file (See above)
2018-12-25T11:59:29.72938396Z 64 PC: 12a77 | Write file or device (See above)
2018-12-25T11:59:29.735738055Z 62 PC: 12a7b | Close file (See above)
2018-12-25T11:59:29.74348569Z 79 PC: 12aaa | Find next file (See above)
2018-12-25T11:59:29.746174614Z 44 PC: 12b1d | Get time (See above)
2018-12-25T11:59:29.748692004Z 61 PC: 12a68 | Open file (See above)
2018-12-25T11:59:29.755551404Z 64 PC: 12a77 | Write file or device (See above)
2018-12-25T11:59:29.761891665Z 62 PC: 12a7b | Close file (See above)
2018-12-25T11:59:29.778786982Z 79 PC: 12aaa | Find next file (See above)
2018-12-25T11:59:29.781196949Z 44 PC: 12b1d | Get time (See above)
2018-12-25T11:59:29.78333544Z 61 PC: 12a68 | Open file (See above)
2018-12-25T11:59:29.789954202Z 64 PC: 12a77 | Write file or device (See above)
2018-12-25T11:59:29.796331254Z 62 PC: 12a7b | Close file (See above)
2018-12-25T11:59:29.803929333Z 79 PC: 12aaa | Find next file (See above)
2018-12-25T11:59:29.807048354Z 44 PC: 12b1d | Get time (See above)
2018-12-25T11:59:29.809345444Z 61 PC: 12a68 | Open file (See above)
2018-12-25T11:59:29.815685673Z 64 PC: 12a77 | Write file or device (See above)
2018-12-25T11:59:29.823073299Z 62 PC: 12a7b | Close file (See above)
2018-12-25T11:59:29.830141183Z 79 PC: 12aaa | Find next file (See above)
2018-12-25T11:59:29.831965184Z 44 PC: 12b1d | Get time (See above)
2018-12-25T11:59:29.834309711Z 61 PC: 12a68 | Open file (See above)
2018-12-25T11:59:29.839313193Z 64 PC: 12a77 | Write file or device (See above)
2018-12-25T11:59:29.843716493Z 62 PC: 12a7b | Close file (See above)
2018-12-25T11:59:29.851081854Z 79 PC: 12aaa | Find next file (See above)
2018-12-25T11:59:29.853641635Z 44 PC: 12b1d | Get time (See above)
2018-12-25T11:59:29.855785072Z 61 PC: 12a68 | Open file (See above)
2018-12-25T11:59:29.865835132Z 64 PC: 12a77 | Write file or device (See above)
2018-12-25T11:59:29.868439316Z 62 PC: 12a7b | Close file (See above)
2018-12-25T11:59:29.876298482Z 79 PC: 12aaa | Find next file (See above)
2018-12-25T11:59:29.878971601Z 42 PC: 12ab4 | Get date 0x12ab4: cmp dh, 8
0x12ab7: jne 0x12ac5
0x12ab9: cmp dl, 0x1f
0x12abc: jne 0x12ac5
0x12abe: mov ah, 9
0x12ac0: mov dx, 0x187
0x12ac3: int 0x21
0x12ac5: int 0x20
0x12ac7: or ax, 0x460a
0x12aca: sub ax, 0x5250
0x12acd: dec di
0x12ace: push sp
0x12acf: and byte ptr [bp + di + 0x55], dl
0x12ad2: pop ax
0x12ad3: pop ax
0x12ad4: pop ax
0x12ad5: pop ax
0x12ad6: and word ptr [di], cx
0x12ad8: or dl, byte ptr [si + 0x42]
0x12adb: inc cx

{"DateBased":true,"Day":1,"Month":1,"Year":1980,"Hour":0,"Min":0,"Second":1,"TimeBased":true,"OriginalID":6456,"SideJobID":0}

.

GIF

Syscalls:

Time Syscall Op Syscall Name
2018-12-25T11:59:31.582251668Z 78 PC: 12a9c | Find first file
2018-12-25T11:59:31.589610356Z 44 PC: 12b1d | Get time 0x12b1d: cmp dx, 0
0x12b20: je 0x12b19
0x12b22: mov word ptr [0x1ef], dx
0x12b26: ret
0x12b27: sub ch, byte ptr [0x4f43]
0x12b2b: dec bp
0x12b2c: add byte ptr [bx + si], al
0x12b2e: add byte ptr [bx + si], al
0x12b30: add byte ptr [bx + si], al
0x12b32: add al, ch
0x12b34: inc bx
0x12b35: add byte ptr [bp + di - 0x12c2], al
0x12b39: add word ptr [bx + si], ax
0x12b3b: je 0x12b4b
0x12b3d: lodsw ax, word ptr [si]
0x12b3e: ror ax, cl
0x12b40: xor ax, cx
0x12b42: add ax, cx
0x12b44: stosw word ptr es:[di], ax
0x12b45: dec word ptr [0x1ed]
2018-12-25T11:59:31.592287042Z 61 PC: 12a68 | Open file (Filename = 'SLEEP.COM')
2018-12-25T11:59:31.599524957Z 64 PC: 12a77 | Write file or device (Write 354 bytes on handle 5)
2018-12-25T11:59:31.608028014Z 62 PC: 12a7b | Close file
2018-12-25T11:59:31.622941092Z 79 PC: 12aaa | Find next file
2018-12-25T11:59:31.62587794Z 44 PC: 12b1d | Get time (See above)
2018-12-25T11:59:31.628818242Z 61 PC: 12a68 | Open file (See above)
2018-12-25T11:59:31.640002667Z 64 PC: 12a77 | Write file or device (See above)
2018-12-25T11:59:31.64837578Z 62 PC: 12a7b | Close file (See above)
2018-12-25T11:59:31.657124994Z 79 PC: 12aaa | Find next file (See above)
2018-12-25T11:59:31.660990427Z 44 PC: 12b1d | Get time (See above)
2018-12-25T11:59:31.663938716Z 61 PC: 12a68 | Open file (See above)
2018-12-25T11:59:31.671439412Z 64 PC: 12a77 | Write file or device (See above)
2018-12-25T11:59:31.680546608Z 62 PC: 12a7b | Close file (See above)
2018-12-25T11:59:31.689958436Z 79 PC: 12aaa | Find next file (See above)
2018-12-25T11:59:31.693275385Z 44 PC: 12b1d | Get time (See above)
2018-12-25T11:59:31.697477865Z 61 PC: 12a68 | Open file (See above)
2018-12-25T11:59:31.70511329Z 64 PC: 12a77 | Write file or device (See above)
2018-12-25T11:59:31.713312215Z 62 PC: 12a7b | Close file (See above)
2018-12-25T11:59:31.722683734Z 79 PC: 12aaa | Find next file (See above)
2018-12-25T11:59:31.726008902Z 44 PC: 12b1d | Get time (See above)
2018-12-25T11:59:31.728597813Z 61 PC: 12a68 | Open file (See above)
2018-12-25T11:59:31.735960637Z 64 PC: 12a77 | Write file or device (See above)
2018-12-25T11:59:31.744363442Z 62 PC: 12a7b | Close file (See above)
2018-12-25T11:59:31.753133285Z 79 PC: 12aaa | Find next file (See above)
2018-12-25T11:59:31.755867939Z 44 PC: 12b1d | Get time (See above)
2018-12-25T11:59:31.758866977Z 61 PC: 12a68 | Open file (See above)
2018-12-25T11:59:31.766588657Z 64 PC: 12a77 | Write file or device (See above)
2018-12-25T11:59:31.774796422Z 62 PC: 12a7b | Close file (See above)
2018-12-25T11:59:31.785358501Z 79 PC: 12aaa | Find next file (See above)
2018-12-25T11:59:31.788732425Z 44 PC: 12b1d | Get time (See above)
2018-12-25T11:59:31.791778799Z 61 PC: 12a68 | Open file (See above)
2018-12-25T11:59:31.800174049Z 64 PC: 12a77 | Write file or device (See above)
2018-12-25T11:59:31.807690751Z 62 PC: 12a7b | Close file (See above)
2018-12-25T11:59:31.816670161Z 79 PC: 12aaa | Find next file (See above)
2018-12-25T11:59:31.820819898Z 44 PC: 12b1d | Get time (See above)
2018-12-25T11:59:31.824194922Z 61 PC: 12a68 | Open file (See above)
2018-12-25T11:59:31.831657636Z 64 PC: 12a77 | Write file or device (See above)
2018-12-25T11:59:31.835186781Z 62 PC: 12a7b | Close file (See above)
2018-12-25T11:59:31.845043296Z 79 PC: 12aaa | Find next file (See above)
2018-12-25T11:59:31.848131598Z 42 PC: 12ab4 | Get date 0x12ab4: cmp dh, 8
0x12ab7: jne 0x12ac5
0x12ab9: cmp dl, 0x1f
0x12abc: jne 0x12ac5
0x12abe: mov ah, 9
0x12ac0: mov dx, 0x187
0x12ac3: int 0x21
0x12ac5: int 0x20
0x12ac7: or ax, 0x460a
0x12aca: sub ax, 0x5250
0x12acd: dec di
0x12ace: push sp
0x12acf: and byte ptr [bp + di + 0x55], dl
0x12ad2: pop ax
0x12ad3: pop ax
0x12ad4: pop ax
0x12ad5: pop ax
0x12ad6: and word ptr [di], cx
0x12ad8: or dl, byte ptr [si + 0x42]
0x12adb: inc cx