Sample viewer

vx.netlux.org/Virus.DOS.BetaBoys.459.b

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-17T22:42:54.756524997Z	26	PC: 12abb \| Set disk transfer address
2018-12-17T22:42:54.75884077Z	78	PC: 12ac6 \| Find first file
2018-12-17T22:42:54.765594554Z	180	PC: 12ad7 \| UNKNOWN!
2018-12-17T22:42:54.766765523Z	79	PC: 12adb \| Find next file
2018-12-17T22:42:54.769811386Z	61	PC: 12aed \| Open file (Filename = 'PRINT.COM')
2018-12-17T22:42:54.777882978Z	66	PC: 12afb \| Move file pointer
2018-12-17T22:42:54.779739101Z	66	PC: 12b0a \| Move file pointer
2018-12-17T22:42:54.781546825Z	63	PC: 12b15 \| Read file or device (Read 1 bytes on handle 5)
2018-12-17T22:42:54.790053346Z	66	PC: 12b2f \| Move file pointer
2018-12-17T22:42:54.791509585Z	63	PC: 12b3e \| Read file or device (Read 3 bytes on handle 5)
2018-12-17T22:42:54.794120818Z	66	PC: 12b49 \| Move file pointer
2018-12-17T22:42:54.796241107Z	64	PC: 12b60 \| Write file or device (Write 3 bytes on handle 5)
2018-12-17T22:42:54.799178139Z	66	PC: 12b6b \| Move file pointer
2018-12-17T22:42:54.800722397Z	64	PC: 12b77 \| Write file or device (Write 456 bytes on handle 5)
2018-12-17T22:42:54.805354344Z	64	PC: 12b86 \| Write file or device (Write 3 bytes on handle 5)
2018-12-17T22:42:54.808757453Z	62	PC: 12b8d \| Close file
2018-12-17T22:42:54.824183617Z	65	PC: 12b95 \| Delete file (Filename = '\windows\win.com')
2018-12-17T22:42:54.831610179Z	42	PC: 12b99 \| Get date 0x12b99: cmp dh, 2 0x12b9c: jne 0x12bdc 0x12b9e: cmp dl, 0x17 0x12ba1: je 0x12bb0 0x12ba3: cmp dl, 0x18 0x12ba6: je 0x12bbe 0x12ba8: cmp dl, 0x19 0x12bab: je 0x12bcc 0x12bad: jmp 0x12bdc 0x12baf: nop 0x12bb0: mov ah, 0x3c 0x12bb2: lea dx, word ptr [si + 0x119] 0x12bb6: mov cx, 1 0x12bb9: int 0x21 0x12bbb: jmp 0x12bdc 0x12bbd: nop 0x12bbe: mov ah, 0x3c 0x12bc0: lea dx, word ptr [si + 0x129] 0x12bc4: mov cx, 1 0x12bc7: int 0x21

{"DateBased":true,"Day":1,"Month":1,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":7703,"SideJobID":0}

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T12:02:21.663514082Z	26	PC: 12abb \| Set disk transfer address
2018-12-25T12:02:21.664497605Z	78	PC: 12ac6 \| Find first file
2018-12-25T12:02:21.671104677Z	180	PC: 12ad7 \| UNKNOWN!
2018-12-25T12:02:21.672065403Z	79	PC: 12adb \| Find next file
2018-12-25T12:02:21.674487667Z	61	PC: 12aed \| Open file (Filename = 'PRINT.COM')
2018-12-25T12:02:21.680806535Z	66	PC: 12afb \| Move file pointer
2018-12-25T12:02:21.682246682Z	66	PC: 12b0a \| Move file pointer
2018-12-25T12:02:21.68331464Z	63	PC: 12b15 \| Read file or device (Read 1 bytes on handle 5)
2018-12-25T12:02:21.689223093Z	66	PC: 12b2f \| Move file pointer
2018-12-25T12:02:21.691031175Z	63	PC: 12b3e \| Read file or device (Read 3 bytes on handle 5)
2018-12-25T12:02:21.693305198Z	66	PC: 12b49 \| Move file pointer
2018-12-25T12:02:21.694542965Z	64	PC: 12b60 \| Write file or device (Write 3 bytes on handle 5)
2018-12-25T12:02:21.698044313Z	66	PC: 12b6b \| Move file pointer
2018-12-25T12:02:21.699465034Z	64	PC: 12b77 \| Write file or device (Write 456 bytes on handle 5)
2018-12-25T12:02:21.703272925Z	64	PC: 12b86 \| Write file or device (Write 3 bytes on handle 5)
2018-12-25T12:02:21.706339647Z	62	PC: 12b8d \| Close file
2018-12-25T12:02:21.720337588Z	65	PC: 12b95 \| Delete file (Filename = '\windows\win.com')
2018-12-25T12:02:21.726215739Z	42	PC: 12b99 \| Get date 0x12b99: cmp dh, 2 0x12b9c: jne 0x12bdc 0x12b9e: cmp dl, 0x17 0x12ba1: je 0x12bb0 0x12ba3: cmp dl, 0x18 0x12ba6: je 0x12bbe 0x12ba8: cmp dl, 0x19 0x12bab: je 0x12bcc 0x12bad: jmp 0x12bdc 0x12baf: nop 0x12bb0: mov ah, 0x3c 0x12bb2: lea dx, word ptr [si + 0x119] 0x12bb6: mov cx, 1 0x12bb9: int 0x21 0x12bbb: jmp 0x12bdc 0x12bbd: nop 0x12bbe: mov ah, 0x3c 0x12bc0: lea dx, word ptr [si + 0x129] 0x12bc4: mov cx, 1 0x12bc7: int 0x21

{"DateBased":true,"Day":1,"Month":2,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":7703,"SideJobID":0}

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T12:02:21.686649477Z	26	PC: 12abb \| Set disk transfer address
2018-12-25T12:02:21.689003934Z	78	PC: 12ac6 \| Find first file
2018-12-25T12:02:21.696359476Z	180	PC: 12ad7 \| UNKNOWN!
2018-12-25T12:02:21.69765956Z	79	PC: 12adb \| Find next file
2018-12-25T12:02:21.700894662Z	61	PC: 12aed \| Open file (Filename = 'PRINT.COM')
2018-12-25T12:02:21.709314591Z	66	PC: 12afb \| Move file pointer
2018-12-25T12:02:21.710934925Z	66	PC: 12b0a \| Move file pointer
2018-12-25T12:02:21.712494858Z	63	PC: 12b15 \| Read file or device (Read 1 bytes on handle 5)
2018-12-25T12:02:21.720166418Z	66	PC: 12b2f \| Move file pointer
2018-12-25T12:02:21.72232598Z	63	PC: 12b3e \| Read file or device (Read 3 bytes on handle 5)
2018-12-25T12:02:21.725029153Z	66	PC: 12b49 \| Move file pointer
2018-12-25T12:02:21.728090021Z	64	PC: 12b60 \| Write file or device (Write 3 bytes on handle 5)
2018-12-25T12:02:21.731316161Z	66	PC: 12b6b \| Move file pointer
2018-12-25T12:02:21.733258567Z	64	PC: 12b77 \| Write file or device (Write 456 bytes on handle 5)
2018-12-25T12:02:21.740193301Z	64	PC: 12b86 \| Write file or device (Write 3 bytes on handle 5)
2018-12-25T12:02:21.743451799Z	62	PC: 12b8d \| Close file
2018-12-25T12:02:22.161619698Z	65	PC: 12b95 \| Delete file (Filename = '\windows\win.com')
2018-12-25T12:02:22.169913919Z	42	PC: 12b99 \| Get date 0x12b99: cmp dh, 2 0x12b9c: jne 0x12bdc 0x12b9e: cmp dl, 0x17 0x12ba1: je 0x12bb0 0x12ba3: cmp dl, 0x18 0x12ba6: je 0x12bbe 0x12ba8: cmp dl, 0x19 0x12bab: je 0x12bcc 0x12bad: jmp 0x12bdc 0x12baf: nop 0x12bb0: mov ah, 0x3c 0x12bb2: lea dx, word ptr [si + 0x119] 0x12bb6: mov cx, 1 0x12bb9: int 0x21 0x12bbb: jmp 0x12bdc 0x12bbd: nop 0x12bbe: mov ah, 0x3c 0x12bc0: lea dx, word ptr [si + 0x129] 0x12bc4: mov cx, 1 0x12bc7: int 0x21

{"DateBased":true,"Day":23,"Month":2,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":7703,"SideJobID":0}

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T12:02:21.710962367Z	26	PC: 12abb \| Set disk transfer address
2018-12-25T12:02:21.712498932Z	78	PC: 12ac6 \| Find first file
2018-12-25T12:02:21.716666538Z	180	PC: 12ad7 \| UNKNOWN!
2018-12-25T12:02:21.717409316Z	79	PC: 12adb \| Find next file
2018-12-25T12:02:21.719780119Z	61	PC: 12aed \| Open file (Filename = 'PRINT.COM')
2018-12-25T12:02:21.727773751Z	66	PC: 12afb \| Move file pointer
2018-12-25T12:02:21.729192656Z	66	PC: 12b0a \| Move file pointer
2018-12-25T12:02:21.730381178Z	63	PC: 12b15 \| Read file or device (Read 1 bytes on handle 5)
2018-12-25T12:02:21.737395437Z	66	PC: 12b2f \| Move file pointer
2018-12-25T12:02:21.738600153Z	63	PC: 12b3e \| Read file or device (Read 3 bytes on handle 5)
2018-12-25T12:02:21.741011468Z	66	PC: 12b49 \| Move file pointer
2018-12-25T12:02:21.742812731Z	64	PC: 12b60 \| Write file or device (Write 3 bytes on handle 5)
2018-12-25T12:02:21.74555673Z	66	PC: 12b6b \| Move file pointer
2018-12-25T12:02:21.746765096Z	64	PC: 12b77 \| Write file or device (Write 456 bytes on handle 5)
2018-12-25T12:02:21.750005622Z	64	PC: 12b86 \| Write file or device (Write 3 bytes on handle 5)
2018-12-25T12:02:21.752799097Z	62	PC: 12b8d \| Close file
2018-12-25T12:02:22.161397769Z	65	PC: 12b95 \| Delete file (Filename = '\windows\win.com')
2018-12-25T12:02:22.168546524Z	42	PC: 12b99 \| Get date 0x12b99: cmp dh, 2 0x12b9c: jne 0x12bdc 0x12b9e: cmp dl, 0x17 0x12ba1: je 0x12bb0 0x12ba3: cmp dl, 0x18 0x12ba6: je 0x12bbe 0x12ba8: cmp dl, 0x19 0x12bab: je 0x12bcc 0x12bad: jmp 0x12bdc 0x12baf: nop 0x12bb0: mov ah, 0x3c 0x12bb2: lea dx, word ptr [si + 0x119] 0x12bb6: mov cx, 1 0x12bb9: int 0x21 0x12bbb: jmp 0x12bdc 0x12bbd: nop 0x12bbe: mov ah, 0x3c 0x12bc0: lea dx, word ptr [si + 0x129] 0x12bc4: mov cx, 1 0x12bc7: int 0x21
2018-12-25T12:02:22.170882392Z	60	PC: 12bbb \| Create or truncate file

{"DateBased":true,"Day":24,"Month":2,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":7703,"SideJobID":0}

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T12:02:22.168428939Z	26	PC: 12abb \| Set disk transfer address
2018-12-25T12:02:22.169966666Z	78	PC: 12ac6 \| Find first file
2018-12-25T12:02:22.175748172Z	180	PC: 12ad7 \| UNKNOWN!
2018-12-25T12:02:22.17710874Z	79	PC: 12adb \| Find next file
2018-12-25T12:02:22.180431329Z	61	PC: 12aed \| Open file (Filename = 'PRINT.COM')
2018-12-25T12:02:22.187004586Z	66	PC: 12afb \| Move file pointer
2018-12-25T12:02:22.188633909Z	66	PC: 12b0a \| Move file pointer
2018-12-25T12:02:22.190429543Z	63	PC: 12b15 \| Read file or device (Read 1 bytes on handle 5)
2018-12-25T12:02:22.196868934Z	66	PC: 12b2f \| Move file pointer
2018-12-25T12:02:22.198167605Z	63	PC: 12b3e \| Read file or device (Read 3 bytes on handle 5)
2018-12-25T12:02:22.200626423Z	66	PC: 12b49 \| Move file pointer
2018-12-25T12:02:22.202781768Z	64	PC: 12b60 \| Write file or device (Write 3 bytes on handle 5)
2018-12-25T12:02:22.205603153Z	66	PC: 12b6b \| Move file pointer
2018-12-25T12:02:22.207235657Z	64	PC: 12b77 \| Write file or device (Write 456 bytes on handle 5)
2018-12-25T12:02:22.211077112Z	64	PC: 12b86 \| Write file or device (Write 3 bytes on handle 5)
2018-12-25T12:02:22.213942599Z	62	PC: 12b8d \| Close file
2018-12-25T12:02:22.22795073Z	65	PC: 12b95 \| Delete file (Filename = '\windows\win.com')
2018-12-25T12:02:22.234550904Z	42	PC: 12b99 \| Get date 0x12b99: cmp dh, 2 0x12b9c: jne 0x12bdc 0x12b9e: cmp dl, 0x17 0x12ba1: je 0x12bb0 0x12ba3: cmp dl, 0x18 0x12ba6: je 0x12bbe 0x12ba8: cmp dl, 0x19 0x12bab: je 0x12bcc 0x12bad: jmp 0x12bdc 0x12baf: nop 0x12bb0: mov ah, 0x3c 0x12bb2: lea dx, word ptr [si + 0x119] 0x12bb6: mov cx, 1 0x12bb9: int 0x21 0x12bbb: jmp 0x12bdc 0x12bbd: nop 0x12bbe: mov ah, 0x3c 0x12bc0: lea dx, word ptr [si + 0x129] 0x12bc4: mov cx, 1 0x12bc7: int 0x21
2018-12-25T12:02:22.236581032Z	60	PC: 12bc9 \| Create or truncate file

{"DateBased":true,"Day":25,"Month":2,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":7703,"SideJobID":0}

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T12:02:22.171281691Z	26	PC: 12abb \| Set disk transfer address
2018-12-25T12:02:22.173266934Z	78	PC: 12ac6 \| Find first file
2018-12-25T12:02:22.179304408Z	180	PC: 12ad7 \| UNKNOWN!
2018-12-25T12:02:22.180179513Z	79	PC: 12adb \| Find next file
2018-12-25T12:02:22.183698216Z	61	PC: 12aed \| Open file (Filename = 'PRINT.COM')
2018-12-25T12:02:22.191176984Z	66	PC: 12afb \| Move file pointer
2018-12-25T12:02:22.192933222Z	66	PC: 12b0a \| Move file pointer
2018-12-25T12:02:22.19536495Z	63	PC: 12b15 \| Read file or device (Read 1 bytes on handle 5)
2018-12-25T12:02:22.208619355Z	66	PC: 12b2f \| Move file pointer
2018-12-25T12:02:22.210340211Z	63	PC: 12b3e \| Read file or device (Read 3 bytes on handle 5)
2018-12-25T12:02:22.214472082Z	66	PC: 12b49 \| Move file pointer
2018-12-25T12:02:22.216189392Z	64	PC: 12b60 \| Write file or device (Write 3 bytes on handle 5)
2018-12-25T12:02:22.219005849Z	66	PC: 12b6b \| Move file pointer
2018-12-25T12:02:22.221644044Z	64	PC: 12b77 \| Write file or device (Write 456 bytes on handle 5)
2018-12-25T12:02:22.224523073Z	64	PC: 12b86 \| Write file or device (Write 3 bytes on handle 5)
2018-12-25T12:02:22.22712017Z	62	PC: 12b8d \| Close file
2018-12-25T12:02:22.241052038Z	65	PC: 12b95 \| Delete file (Filename = '\windows\win.com')
2018-12-25T12:02:22.248115388Z	42	PC: 12b99 \| Get date 0x12b99: cmp dh, 2 0x12b9c: jne 0x12bdc 0x12b9e: cmp dl, 0x17 0x12ba1: je 0x12bb0 0x12ba3: cmp dl, 0x18 0x12ba6: je 0x12bbe 0x12ba8: cmp dl, 0x19 0x12bab: je 0x12bcc 0x12bad: jmp 0x12bdc 0x12baf: nop 0x12bb0: mov ah, 0x3c 0x12bb2: lea dx, word ptr [si + 0x119] 0x12bb6: mov cx, 1 0x12bb9: int 0x21 0x12bbb: jmp 0x12bdc 0x12bbd: nop 0x12bbe: mov ah, 0x3c 0x12bc0: lea dx, word ptr [si + 0x129] 0x12bc4: mov cx, 1 0x12bc7: int 0x21

{"DateBased":true,"Day":25,"Month":2,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":7703,"SideJobID":0}

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T12:02:22.816253316Z	26	PC: 12abb \| Set disk transfer address
2018-12-25T12:02:22.818031973Z	78	PC: 12ac6 \| Find first file
2018-12-25T12:02:22.825329653Z	180	PC: 12ad7 \| UNKNOWN!
2018-12-25T12:02:22.826209929Z	79	PC: 12adb \| Find next file
2018-12-25T12:02:22.835712944Z	61	PC: 12aed \| Open file (Filename = 'PRINT.COM')
2018-12-25T12:02:22.842345793Z	66	PC: 12afb \| Move file pointer
2018-12-25T12:02:22.843886706Z	66	PC: 12b0a \| Move file pointer
2018-12-25T12:02:22.845734182Z	63	PC: 12b15 \| Read file or device (Read 1 bytes on handle 5)
2018-12-25T12:02:22.853615764Z	66	PC: 12b2f \| Move file pointer
2018-12-25T12:02:22.855055539Z	63	PC: 12b3e \| Read file or device (Read 3 bytes on handle 5)
2018-12-25T12:02:22.857307521Z	66	PC: 12b49 \| Move file pointer
2018-12-25T12:02:22.859133444Z	64	PC: 12b60 \| Write file or device (Write 3 bytes on handle 5)
2018-12-25T12:02:22.861163759Z	66	PC: 12b6b \| Move file pointer
2018-12-25T12:02:22.862350065Z	64	PC: 12b77 \| Write file or device (Write 456 bytes on handle 5)
2018-12-25T12:02:22.864745022Z	64	PC: 12b86 \| Write file or device (Write 3 bytes on handle 5)
2018-12-25T12:02:22.866656605Z	62	PC: 12b8d \| Close file
2018-12-25T12:02:22.878875509Z	65	PC: 12b95 \| Delete file (Filename = '\windows\win.com')
2018-12-25T12:02:22.883424181Z	42	PC: 12b99 \| Get date 0x12b99: cmp dh, 2 0x12b9c: jne 0x12bdc 0x12b9e: cmp dl, 0x17 0x12ba1: je 0x12bb0 0x12ba3: cmp dl, 0x18 0x12ba6: je 0x12bbe 0x12ba8: cmp dl, 0x19 0x12bab: je 0x12bcc 0x12bad: jmp 0x12bdc 0x12baf: nop 0x12bb0: mov ah, 0x3c 0x12bb2: lea dx, word ptr [si + 0x119] 0x12bb6: mov cx, 1 0x12bb9: int 0x21 0x12bbb: jmp 0x12bdc 0x12bbd: nop 0x12bbe: mov ah, 0x3c 0x12bc0: lea dx, word ptr [si + 0x129] 0x12bc4: mov cx, 1 0x12bc7: int 0x21
2018-12-25T12:02:31.019880434Z	66	PC: 12b2f \| Move file pointer (See above)
2018-12-25T12:02:31.075687107Z	80	PC: 12b6b \| Set current PSP (See above)
2018-12-25T12:02:31.078016652Z	83	PC: 12b8d \| Create disk parameter block (See above)
2018-12-25T12:02:31.079712083Z	215	PC: 12b95 \| UNKNOWN! (See above)
2018-12-25T12:02:31.080728143Z	215	PC: 12b99 \| UNKNOWN! (See above)

{"DateBased":true,"Day":1,"Month":1,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":7703,"SideJobID":0}

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T12:02:22.890345878Z	26	PC: 12abb \| Set disk transfer address
2018-12-25T12:02:22.892465838Z	78	PC: 12ac6 \| Find first file
2018-12-25T12:02:22.900223428Z	180	PC: 12ad7 \| UNKNOWN!
2018-12-25T12:02:22.901827438Z	79	PC: 12adb \| Find next file
2018-12-25T12:02:22.904868437Z	61	PC: 12aed \| Open file (Filename = 'PRINT.COM')
2018-12-25T12:02:22.912532766Z	66	PC: 12afb \| Move file pointer
2018-12-25T12:02:22.914404426Z	66	PC: 12b0a \| Move file pointer
2018-12-25T12:02:22.916306685Z	63	PC: 12b15 \| Read file or device (Read 1 bytes on handle 5)
2018-12-25T12:02:22.925263407Z	66	PC: 12b2f \| Move file pointer
2018-12-25T12:02:22.927024135Z	63	PC: 12b3e \| Read file or device (Read 3 bytes on handle 5)
2018-12-25T12:02:22.93004251Z	66	PC: 12b49 \| Move file pointer
2018-12-25T12:02:22.932566997Z	64	PC: 12b60 \| Write file or device (Write 3 bytes on handle 5)
2018-12-25T12:02:22.935734122Z	66	PC: 12b6b \| Move file pointer
2018-12-25T12:02:22.937489472Z	64	PC: 12b77 \| Write file or device (Write 456 bytes on handle 5)
2018-12-25T12:02:22.941201006Z	64	PC: 12b86 \| Write file or device (Write 3 bytes on handle 5)
2018-12-25T12:02:22.94447399Z	62	PC: 12b8d \| Close file
2018-12-25T12:02:22.970679053Z	65	PC: 12b95 \| Delete file (Filename = '\windows\win.com')
2018-12-25T12:02:22.978262462Z	42	PC: 12b99 \| Get date 0x12b99: cmp dh, 2 0x12b9c: jne 0x12bdc 0x12b9e: cmp dl, 0x17 0x12ba1: je 0x12bb0 0x12ba3: cmp dl, 0x18 0x12ba6: je 0x12bbe 0x12ba8: cmp dl, 0x19 0x12bab: je 0x12bcc 0x12bad: jmp 0x12bdc 0x12baf: nop 0x12bb0: mov ah, 0x3c 0x12bb2: lea dx, word ptr [si + 0x119] 0x12bb6: mov cx, 1 0x12bb9: int 0x21 0x12bbb: jmp 0x12bdc 0x12bbd: nop 0x12bbe: mov ah, 0x3c 0x12bc0: lea dx, word ptr [si + 0x129] 0x12bc4: mov cx, 1 0x12bc7: int 0x21

{"DateBased":true,"Day":1,"Month":2,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":7703,"SideJobID":0}

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T12:02:23.012656723Z	26	PC: 12abb \| Set disk transfer address
2018-12-25T12:02:23.014427559Z	78	PC: 12ac6 \| Find first file
2018-12-25T12:02:23.021956338Z	180	PC: 12ad7 \| UNKNOWN!
2018-12-25T12:02:23.022735405Z	79	PC: 12adb \| Find next file
2018-12-25T12:02:23.025639339Z	61	PC: 12aed \| Open file (Filename = 'PRINT.COM')
2018-12-25T12:02:23.033636612Z	66	PC: 12afb \| Move file pointer
2018-12-25T12:02:23.035231515Z	66	PC: 12b0a \| Move file pointer
2018-12-25T12:02:23.036741216Z	63	PC: 12b15 \| Read file or device (Read 1 bytes on handle 5)
2018-12-25T12:02:23.045509101Z	66	PC: 12b2f \| Move file pointer
2018-12-25T12:02:23.047260201Z	63	PC: 12b3e \| Read file or device (Read 3 bytes on handle 5)
2018-12-25T12:02:23.050085413Z	66	PC: 12b49 \| Move file pointer
2018-12-25T12:02:23.052121711Z	64	PC: 12b60 \| Write file or device (Write 3 bytes on handle 5)
2018-12-25T12:02:23.061087683Z	66	PC: 12b6b \| Move file pointer
2018-12-25T12:02:23.062559718Z	64	PC: 12b77 \| Write file or device (Write 456 bytes on handle 5)
2018-12-25T12:02:23.065333966Z	64	PC: 12b86 \| Write file or device (Write 3 bytes on handle 5)
2018-12-25T12:02:23.068250297Z	62	PC: 12b8d \| Close file
2018-12-25T12:02:23.082809929Z	65	PC: 12b95 \| Delete file (Filename = '\windows\win.com')
2018-12-25T12:02:23.089882509Z	42	PC: 12b99 \| Get date 0x12b99: cmp dh, 2 0x12b9c: jne 0x12bdc 0x12b9e: cmp dl, 0x17 0x12ba1: je 0x12bb0 0x12ba3: cmp dl, 0x18 0x12ba6: je 0x12bbe 0x12ba8: cmp dl, 0x19 0x12bab: je 0x12bcc 0x12bad: jmp 0x12bdc 0x12baf: nop 0x12bb0: mov ah, 0x3c 0x12bb2: lea dx, word ptr [si + 0x119] 0x12bb6: mov cx, 1 0x12bb9: int 0x21 0x12bbb: jmp 0x12bdc 0x12bbd: nop 0x12bbe: mov ah, 0x3c 0x12bc0: lea dx, word ptr [si + 0x129] 0x12bc4: mov cx, 1 0x12bc7: int 0x21

{"DateBased":true,"Day":23,"Month":2,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":7703,"SideJobID":0}

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T12:02:23.169612768Z	26	PC: 12abb \| Set disk transfer address
2018-12-25T12:02:23.17150464Z	78	PC: 12ac6 \| Find first file
2018-12-25T12:02:23.177582154Z	180	PC: 12ad7 \| UNKNOWN!
2018-12-25T12:02:23.178529737Z	79	PC: 12adb \| Find next file
2018-12-25T12:02:23.181757657Z	61	PC: 12aed \| Open file (Filename = 'PRINT.COM')
2018-12-25T12:02:23.188438092Z	66	PC: 12afb \| Move file pointer
2018-12-25T12:02:23.190008342Z	66	PC: 12b0a \| Move file pointer
2018-12-25T12:02:23.191769961Z	63	PC: 12b15 \| Read file or device (Read 1 bytes on handle 5)
2018-12-25T12:02:23.19855237Z	66	PC: 12b2f \| Move file pointer
2018-12-25T12:02:23.200099115Z	63	PC: 12b3e \| Read file or device (Read 3 bytes on handle 5)
2018-12-25T12:02:23.203131583Z	66	PC: 12b49 \| Move file pointer
2018-12-25T12:02:23.205123252Z	64	PC: 12b60 \| Write file or device (Write 3 bytes on handle 5)
2018-12-25T12:02:23.207569367Z	66	PC: 12b6b \| Move file pointer
2018-12-25T12:02:23.208704044Z	64	PC: 12b77 \| Write file or device (Write 456 bytes on handle 5)
2018-12-25T12:02:23.219476047Z	64	PC: 12b86 \| Write file or device (Write 3 bytes on handle 5)
2018-12-25T12:02:23.222123641Z	62	PC: 12b8d \| Close file
2018-12-25T12:02:23.235214844Z	65	PC: 12b95 \| Delete file (Filename = '\windows\win.com')
2018-12-25T12:02:23.241334106Z	42	PC: 12b99 \| Get date 0x12b99: cmp dh, 2 0x12b9c: jne 0x12bdc 0x12b9e: cmp dl, 0x17 0x12ba1: je 0x12bb0 0x12ba3: cmp dl, 0x18 0x12ba6: je 0x12bbe 0x12ba8: cmp dl, 0x19 0x12bab: je 0x12bcc 0x12bad: jmp 0x12bdc 0x12baf: nop 0x12bb0: mov ah, 0x3c 0x12bb2: lea dx, word ptr [si + 0x119] 0x12bb6: mov cx, 1 0x12bb9: int 0x21 0x12bbb: jmp 0x12bdc 0x12bbd: nop 0x12bbe: mov ah, 0x3c 0x12bc0: lea dx, word ptr [si + 0x129] 0x12bc4: mov cx, 1 0x12bc7: int 0x21
2018-12-25T12:02:23.243267861Z	60	PC: 12bbb \| Create or truncate file

{"DateBased":true,"Day":24,"Month":2,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":7703,"SideJobID":0}

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T12:02:23.640170281Z	26	PC: 12abb \| Set disk transfer address
2018-12-25T12:02:23.641826031Z	78	PC: 12ac6 \| Find first file
2018-12-25T12:02:23.647532558Z	180	PC: 12ad7 \| UNKNOWN!
2018-12-25T12:02:23.648114424Z	79	PC: 12adb \| Find next file
2018-12-25T12:02:23.651326198Z	61	PC: 12aed \| Open file (Filename = 'PRINT.COM')
2018-12-25T12:02:23.657922266Z	66	PC: 12afb \| Move file pointer
2018-12-25T12:02:23.65946986Z	66	PC: 12b0a \| Move file pointer
2018-12-25T12:02:23.660985993Z	63	PC: 12b15 \| Read file or device (Read 1 bytes on handle 5)
2018-12-25T12:02:23.66801998Z	66	PC: 12b2f \| Move file pointer
2018-12-25T12:02:23.669248811Z	63	PC: 12b3e \| Read file or device (Read 3 bytes on handle 5)
2018-12-25T12:02:23.671519206Z	66	PC: 12b49 \| Move file pointer
2018-12-25T12:02:23.6732452Z	64	PC: 12b60 \| Write file or device (Write 3 bytes on handle 5)
2018-12-25T12:02:23.675618795Z	66	PC: 12b6b \| Move file pointer
2018-12-25T12:02:23.676675585Z	64	PC: 12b77 \| Write file or device (Write 456 bytes on handle 5)
2018-12-25T12:02:23.679267238Z	64	PC: 12b86 \| Write file or device (Write 3 bytes on handle 5)
2018-12-25T12:02:23.681660288Z	62	PC: 12b8d \| Close file
2018-12-25T12:02:23.69430411Z	65	PC: 12b95 \| Delete file (Filename = '\windows\win.com')
2018-12-25T12:02:23.700148514Z	42	PC: 12b99 \| Get date 0x12b99: cmp dh, 2 0x12b9c: jne 0x12bdc 0x12b9e: cmp dl, 0x17 0x12ba1: je 0x12bb0 0x12ba3: cmp dl, 0x18 0x12ba6: je 0x12bbe 0x12ba8: cmp dl, 0x19 0x12bab: je 0x12bcc 0x12bad: jmp 0x12bdc 0x12baf: nop 0x12bb0: mov ah, 0x3c 0x12bb2: lea dx, word ptr [si + 0x119] 0x12bb6: mov cx, 1 0x12bb9: int 0x21 0x12bbb: jmp 0x12bdc 0x12bbd: nop 0x12bbe: mov ah, 0x3c 0x12bc0: lea dx, word ptr [si + 0x129] 0x12bc4: mov cx, 1 0x12bc7: int 0x21
2018-12-25T12:02:23.702064745Z	60	PC: 12bc9 \| Create or truncate file