Sample viewer

vx.netlux.org/Virus.DOS.Green.1036

.

GIF

Syscalls:

Time Syscall Op Syscall Name
2018-12-17T22:45:00.716611619Z 26 PC: 12ab6 | Set disk transfer address
2018-12-17T22:45:00.718606847Z 71 PC: 12ac0 | Get current directory
2018-12-17T22:45:00.722730968Z 53 PC: 12ac5 | Get interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-17T22:45:00.724209914Z 37 PC: 12ad9 | Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-17T22:45:00.726832571Z 42 PC: 12adf | Get date 0x12adf: cmp dh, 7
0x12ae2: je 0x12ae7
0x12ae4: jmp 0x12b84
0x12ae7: cmp dl, 3
0x12aea: je 0x12aef
0x12aec: jmp 0x12b84
0x12aef: mov ax, 0x201
0x12af2: mov cx, 1
0x12af5: xor dx, dx
0x12af7: lea bx, word ptr [bp + 0x4f4]
0x12afb: int 0x13
0x12afd: mov ah, 0x3c
0x12aff: xor cx, cx
0x12b01: lea dx, word ptr [bp + 0x204]
0x12b05: int 0x21
0x12b07: jb 0x12b27
0x12b09: xchg ax, bx
0x12b0a: mov ah, 0x40
0x12b0c: mov cx, 0x200
0x12b0f: lea dx, word ptr [bp + 0x4f4]
2018-12-17T22:45:00.729295777Z 78 PC: 12bc1 | Find first file
2018-12-17T22:45:00.732979537Z 67 PC: 12cf4 | Get or set file attributes
2018-12-17T22:45:00.738619304Z 67 PC: 12d13 | Get or set file attributes
2018-12-17T22:45:00.757872881Z 61 PC: 12d23 | Open file (Filename = 'TEST.EXE')
2018-12-17T22:45:00.762765093Z 63 PC: 12d40 | Read file or device (Read 26 bytes on handle 5)
2018-12-17T22:45:00.764578924Z 87 PC: 12ba5 | Get or set file date and time
2018-12-17T22:45:00.766275744Z 62 PC: 12baa | Close file
2018-12-17T22:45:00.771513296Z 67 PC: 12bb7 | Get or set file attributes
2018-12-17T22:45:00.778532444Z 79 PC: 12bc1 | Find next file
2018-12-17T22:45:00.780882058Z 59 PC: 12b91 | Change current directory
2018-12-17T22:45:00.783716806Z 59 PC: 12be2 | Change current directory
2018-12-17T22:45:00.789184148Z 78 PC: 12bc1 | Find first file
2018-12-17T22:45:00.804781881Z 67 PC: 12cf4 | Get or set file attributes
2018-12-17T22:45:00.810329541Z 67 PC: 12d13 | Get or set file attributes
2018-12-17T22:45:00.819919991Z 61 PC: 12d23 | Open file (Filename = 'SLEEP.COM')
2018-12-17T22:45:00.827461978Z 66 PC: 12c60 | Move file pointer
2018-12-17T22:45:00.828862511Z 66 PC: 12c7c | Move file pointer
2018-12-17T22:45:00.830480442Z 63 PC: 12c87 | Read file or device (Read 1 bytes on handle 5)
2018-12-17T22:45:00.841233373Z 66 PC: 12c60 | Move file pointer
2018-12-17T22:45:00.842578346Z 63 PC: 12caa | Read file or device (Read 3 bytes on handle 5)
2018-12-17T22:45:00.845064723Z 66 PC: 12c60 | Move file pointer
2018-12-17T22:45:00.84702144Z 66 PC: 12c60 | Move file pointer
2018-12-17T22:45:00.848306533Z 64 PC: 12cd3 | Write file or device (Write 3 bytes on handle 5)
2018-12-17T22:45:00.850860164Z 66 PC: 12c60 | Move file pointer
2018-12-17T22:45:00.85263086Z 44 PC: 12dfa | Get time 0x12dfa: mov byte ptr [bp + 0x40d], dl
0x12dfe: call 0x12e23
0x12e01: call 0x12e3a
0x12e04: mov cx, 0x40c
0x12e07: mov ah, 0x40
0x12e09: lea dx, word ptr [bp + 4]
0x12e0d: int 0x21
0x12e0f: call 0x12e3a
0x12e12: call 0x12e23
0x12e15: pop ax
0x12e16: mov byte ptr [bp + 0x210], al
0x12e1a: call 0x22b98
0x12e1d: call 0x22ba6
0x12e20: jmp 0x12bda
0x12e23: cld
0x12e24: push cs
0x12e25: pop es
0x12e26: mov ah, byte ptr [bp + 0x40d]
0x12e2a: mov cx, 0x38e
0x12e2d: lea si, word ptr [bp + 0x30]
2018-12-17T22:45:00.855244826Z 64 PC: 12e0f | Write file or device (Write 1036 bytes on handle 5)
2018-12-17T22:45:00.864133151Z 87 PC: 12ba5 | Get or set file date and time
2018-12-17T22:45:00.865950833Z 62 PC: 12baa | Close file
2018-12-17T22:45:00.873700344Z 67 PC: 12bb7 | Get or set file attributes
2018-12-17T22:45:00.883241008Z 59 PC: 12be2 | Change current directory
2018-12-17T22:45:00.888994158Z 37 PC: 12bf6 | Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-17T22:45:00.890204446Z 26 PC: 12c12 | Set disk transfer address
2018-12-17T22:45:00.891215676Z 76 PC: 12a44 | Terminate with return code (Return code = '164')

{"DateBased":true,"Day":3,"Month":7,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":8410,"SideJobID":0}

.

GIF

Syscalls:

Time Syscall Op Syscall Name
2018-12-25T12:04:32.539391438Z 26 PC: 12ab6 | Set disk transfer address
2018-12-25T12:04:32.540970171Z 71 PC: 12ac0 | Get current directory
2018-12-25T12:04:32.543337361Z 53 PC: 12ac5 | Get interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T12:04:32.544429382Z 37 PC: 12ad9 | Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T12:04:32.54601263Z 42 PC: 12adf | Get date 0x12adf: cmp dh, 7
0x12ae2: je 0x12ae7
0x12ae4: jmp 0x12b84
0x12ae7: cmp dl, 3
0x12aea: je 0x12aef
0x12aec: jmp 0x12b84
0x12aef: mov ax, 0x201
0x12af2: mov cx, 1
0x12af5: xor dx, dx
0x12af7: lea bx, word ptr [bp + 0x4f4]
0x12afb: int 0x13
0x12afd: mov ah, 0x3c
0x12aff: xor cx, cx
0x12b01: lea dx, word ptr [bp + 0x204]
0x12b05: int 0x21
0x12b07: jb 0x12b27
0x12b09: xchg ax, bx
0x12b0a: mov ah, 0x40
0x12b0c: mov cx, 0x200
0x12b0f: lea dx, word ptr [bp + 0x4f4]
2018-12-25T12:04:32.549135501Z 60 PC: 12b07 | Create or truncate file
2018-12-25T12:04:32.57051042Z 64 PC: 12b15 | Write file or device (Write 512 bytes on handle 5)
2018-12-25T12:04:32.576604581Z 62 PC: 12b19 | Close file
2018-12-25T12:04:34.711742115Z 72 PC: 8f1b9 | Allocate memory
2018-12-25T12:04:34.713027385Z 72 PC: 8f1bd | Allocate memory
2018-12-25T12:04:34.714608882Z 99 PC: 90858 | Get DBCS lead byte table pointer
2018-12-25T12:04:34.717213844Z 61 PC: 91f88 | Open file (Filename = 'C:\WINDOWS\HIMEM.SYS')
2018-12-25T12:04:34.729609444Z 66 PC: 91f95 | Move file pointer
2018-12-25T12:04:34.731347468Z 62 PC: 91fc1 | Close file
2018-12-25T12:04:34.734005712Z 75 PC: 91fe0 | Execute program
2018-12-25T12:04:34.750118001Z 98 PC: 916f1 | Get current PSP
2018-12-25T12:04:34.751359253Z 9 PC: c605 | Display string (String= '6��r�&;] u')
2018-12-25T12:04:34.755771607Z 48 PC: c609 | Get DOS version
2018-12-25T12:04:34.758661014Z 9 PC: c382 | Display string (String= ' Installed A20 handler number ')
2018-12-25T12:04:34.760872919Z 2 PC: c38c | Character output (Char = '32')
2018-12-25T12:04:34.76349509Z 2 PC: c3a7 | Character output (Char = '2e')
2018-12-25T12:04:34.766581521Z 9 PC: c6d9 | Display string (String= '�����VH�VD���V@��������������_���Ku��t1��������D�����t �� ��������a1��Z�����W���� ������5���|�����(���������Nj�(��������p�^')
2018-12-25T12:04:34.769842922Z 9 PC: c6e0 | Display string (String= '�5���|�����(���������Nj�(��������p�^')
2018-12-25T12:04:34.774350058Z 61 PC: 91f88 | Open file (See above)
2018-12-25T12:04:34.78330884Z 66 PC: 91f95 | Move file pointer (See above)
2018-12-25T12:04:34.784429163Z 62 PC: 91fc1 | Close file (See above)
2018-12-25T12:04:34.786303995Z 75 PC: 91fe0 | Execute program (See above)
2018-12-25T12:04:34.806949008Z 98 PC: 916f1 | Get current PSP (See above)
2018-12-25T12:04:34.810401769Z 82 PC: 13d46 | Get DOS internal pointers (SYSVARS)
2018-12-25T12:04:34.81189753Z 53 PC: 13ac3 | Get interrupt vector (Interrupt = '19' AKA 'Delete file')
2018-12-25T12:04:34.813205397Z 37 PC: 13ad6 | Set interrupt vector (Interrupt = '19' AKA 'Delete file')
2018-12-25T12:04:34.814211931Z 53 PC: 13ae0 | Get interrupt vector (Interrupt = '47' AKA 'Get disk transfer address')
2018-12-25T12:04:34.815235276Z 37 PC: 13af3 | Set interrupt vector (Interrupt = '47' AKA 'Get disk transfer address')
2018-12-25T12:04:34.816558596Z 9 PC: 13a0d | Display string (Could not find end pointer)
2018-12-25T12:04:34.822327962Z 62 PC: 8f8eb | Close file
2018-12-25T12:04:34.823691714Z 62 PC: 8f8f2 | Close file
2018-12-25T12:04:34.825662548Z 62 PC: 8f8f2 | Close file (See above)
2018-12-25T12:04:34.827141016Z 62 PC: 8f8f2 | Close file (See above)
2018-12-25T12:04:34.828398831Z 62 PC: 8f8f2 | Close file (See above)
2018-12-25T12:04:34.830109499Z 62 PC: 8f8f2 | Close file (See above)
2018-12-25T12:04:34.831566564Z 62 PC: 8f8f2 | Close file (See above)
2018-12-25T12:04:34.833076399Z 62 PC: 8f8f2 | Close file (See above)
2018-12-25T12:04:34.835162001Z 62 PC: 8f8f2 | Close file (See above)
2018-12-25T12:04:34.836680732Z 62 PC: 8f8f2 | Close file (See above)
2018-12-25T12:04:34.837942214Z 62 PC: 8f8f2 | Close file (See above)
2018-12-25T12:04:34.839610896Z 62 PC: 8f8f2 | Close file (See above)
2018-12-25T12:04:34.840945787Z 62 PC: 8f8f2 | Close file (See above)
2018-12-25T12:04:34.842088928Z 62 PC: 8f8f2 | Close file (See above)
2018-12-25T12:04:34.84380572Z 62 PC: 8f8f2 | Close file (See above)
2018-12-25T12:04:34.845730575Z 62 PC: 8f8f2 | Close file (See above)
2018-12-25T12:04:34.846989539Z 62 PC: 8f8f2 | Close file (See above)
2018-12-25T12:04:34.84874145Z 62 PC: 8f8f2 | Close file (See above)
2018-12-25T12:04:34.849999443Z 62 PC: 8f8f2 | Close file (See above)
2018-12-25T12:04:34.851213324Z 62 PC: 8f8f2 | Close file (See above)
2018-12-25T12:04:34.852792518Z 62 PC: 8f8f2 | Close file (See above)
2018-12-25T12:04:34.854030137Z 62 PC: 8f8f2 | Close file (See above)
2018-12-25T12:04:34.855228807Z 62 PC: 8f8f2 | Close file (See above)
2018-12-25T12:04:34.856795631Z 62 PC: 8f8f2 | Close file (See above)
2018-12-25T12:04:34.85800783Z 62 PC: 8f8f2 | Close file (See above)
2018-12-25T12:04:34.858975637Z 62 PC: 8f8f2 | Close file (See above)
2018-12-25T12:04:34.860520856Z 62 PC: 8f8f2 | Close file (See above)
2018-12-25T12:04:34.86206899Z 62 PC: 8f8f2 | Close file (See above)
2018-12-25T12:04:34.863611727Z 62 PC: 8f8f2 | Close file (See above)
2018-12-25T12:04:34.865232945Z 62 PC: 8f8f2 | Close file (See above)
2018-12-25T12:04:34.867151916Z 62 PC: 8f8f2 | Close file (See above)
2018-12-25T12:04:34.868724537Z 61 PC: 8f8ff | Open file (Filename = '')
2018-12-25T12:04:34.873614574Z 62 PC: 8f90e | Close file
2018-12-25T12:04:34.875410933Z 69 PC: 8f915 | Duplicate handle
2018-12-25T12:04:34.876825688Z 69 PC: 8f919 | Duplicate handle
2018-12-25T12:04:34.878231794Z 61 PC: 9387b | Open file (Filename = '')
2018-12-25T12:04:34.883017448Z 68 PC: 9386b | I/O control for devices (Set for = '')
2018-12-25T12:04:34.884586931Z 61 PC: 9387b | Open file (See above)
2018-12-25T12:04:34.889008678Z 68 PC: 9386b | I/O control for devices (See above)
2018-12-25T12:04:34.890713952Z 74 PC: 8f9c4 | Reallocate memory
2018-12-25T12:04:34.892063131Z 72 PC: 8f9e0 | Allocate memory
2018-12-25T12:04:34.893479344Z 72 PC: 8f9e4 | Allocate memory
2018-12-25T12:04:34.895042461Z 74 PC: 8f9fb | Reallocate memory
2018-12-25T12:04:34.896245616Z 72 PC: 8fa02 | Allocate memory
2018-12-25T12:04:34.897542786Z 72 PC: 8fa06 | Allocate memory
2018-12-25T12:04:34.899105228Z 73 PC: 8fa11 | Release memory
2018-12-25T12:04:34.900443814Z 73 PC: 8efea | Release memory
2018-12-25T12:04:34.901434965Z 74 PC: 8f003 | Reallocate memory
2018-12-25T12:04:34.90306148Z 72 PC: 8f054 | Allocate memory
2018-12-25T12:04:34.904646837Z 72 PC: 8f058 | Allocate memory
2018-12-25T12:04:34.905949955Z 73 PC: 8f060 | Release memory
2018-12-25T12:04:34.907513522Z 61 PC: 8f080 | Open file (Filename = '')
2018-12-25T12:04:34.915013876Z 63 PC: 8f095 | Read file or device (Read 4 bytes on handle 5)
2018-12-25T12:04:34.920050277Z 66 PC: 8f0ad | Move file pointer
2018-12-25T12:04:34.921657536Z 62 PC: 8f0d1 | Close file
2018-12-25T12:04:34.923110954Z 75 PC: 8f0f2 | Execute program
2018-12-25T12:04:34.939328751Z 80 PC: 12be9 | Set current PSP
2018-12-25T12:04:34.940276281Z 48 PC: 12bee | Get DOS version
2018-12-25T12:04:34.942272307Z 99 PC: 193d0 | Get DBCS lead byte table pointer
2018-12-25T12:04:34.945037263Z 101 PC: 12c74 | Get extended country info
2018-12-25T12:04:34.946905877Z 99 PC: 12c7a | Get DBCS lead byte table pointer
2018-12-25T12:04:34.948513116Z 74 PC: 12cdc | Reallocate memory
2018-12-25T12:04:34.950091294Z 72 PC: 1355d | Allocate memory
2018-12-25T12:04:34.952250179Z 25 PC: 13596 | Get default drive
2018-12-25T12:04:34.953638206Z 71 PC: 135ad | Get current directory
2018-12-25T12:04:34.95612479Z 59 PC: 135ba | Change current directory
2018-12-25T12:04:34.962348396Z 59 PC: 135c8 | Change current directory
2018-12-25T12:04:34.968777007Z 59 PC: 135d3 | Change current directory
2018-12-25T12:04:34.972517493Z 25 PC: 12d13 | Get default drive
2018-12-25T12:04:34.97404115Z 37 PC: 127d3 | Set interrupt vector (Interrupt = '34' AKA 'Random write')
2018-12-25T12:04:34.975224271Z 37 PC: 127da | Set interrupt vector (Interrupt = '35' AKA 'Get file size in records')
2018-12-25T12:04:34.97615774Z 37 PC: 127e1 | Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T12:04:34.978530745Z 80 PC: 1301d | Set current PSP
2018-12-25T12:04:34.979424025Z 37 PC: 13041 | Set interrupt vector (Interrupt = '46' AKA 'Set verify flag')
2018-12-25T12:04:34.980576813Z 53 PC: 13362 | Get interrupt vector (Interrupt = '47' AKA 'Get disk transfer address')
2018-12-25T12:04:34.982036136Z 37 PC: 13383 | Set interrupt vector (Interrupt = '47' AKA 'Get disk transfer address')
2018-12-25T12:04:34.983227221Z 51 PC: 13417 | Get or set Ctrl-Break
2018-12-25T12:04:34.984838801Z 72 PC: 130ec | Allocate memory
2018-12-25T12:04:34.986790047Z 61 PC: 131b2 | Open file (Filename = '')
2018-12-25T12:04:34.992084904Z 62 PC: 131ba | Close file
2018-12-25T12:04:34.993704843Z 51 PC: 1344c | Get or set Ctrl-Break
2018-12-25T12:04:34.994774913Z 74 PC: 1197c | Reallocate memory
2018-12-25T12:04:34.996043872Z 72 PC: 11991 | Allocate memory
2018-12-25T12:04:34.997272437Z 73 PC: 119b2 | Release memory
2018-12-25T12:04:34.998596182Z 72 PC: 119bd | Allocate memory
2018-12-25T12:04:34.999888965Z 73 PC: 119df | Release memory
2018-12-25T12:04:35.000893212Z 72 PC: 119f5 | Allocate memory
2018-12-25T12:04:35.002226748Z 72 PC: 119fd | Allocate memory

{"DateBased":true,"Day":1,"Month":1,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":8410,"SideJobID":0}

.

GIF

Syscalls:

Time Syscall Op Syscall Name
2018-12-25T12:04:32.680321405Z 26 PC: 12ab6 | Set disk transfer address
2018-12-25T12:04:32.682125854Z 71 PC: 12ac0 | Get current directory
2018-12-25T12:04:32.684759405Z 53 PC: 12ac5 | Get interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T12:04:32.685745448Z 37 PC: 12ad9 | Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T12:04:32.687301271Z 42 PC: 12adf | Get date 0x12adf: cmp dh, 7
0x12ae2: je 0x12ae7
0x12ae4: jmp 0x12b84
0x12ae7: cmp dl, 3
0x12aea: je 0x12aef
0x12aec: jmp 0x12b84
0x12aef: mov ax, 0x201
0x12af2: mov cx, 1
0x12af5: xor dx, dx
0x12af7: lea bx, word ptr [bp + 0x4f4]
0x12afb: int 0x13
0x12afd: mov ah, 0x3c
0x12aff: xor cx, cx
0x12b01: lea dx, word ptr [bp + 0x204]
0x12b05: int 0x21
0x12b07: jb 0x12b27
0x12b09: xchg ax, bx
0x12b0a: mov ah, 0x40
0x12b0c: mov cx, 0x200
0x12b0f: lea dx, word ptr [bp + 0x4f4]
2018-12-25T12:04:32.689335561Z 78 PC: 12bc1 | Find first file
2018-12-25T12:04:32.695033286Z 67 PC: 12cf4 | Get or set file attributes
2018-12-25T12:04:32.706050004Z 67 PC: 12d13 | Get or set file attributes
2018-12-25T12:04:32.721608669Z 61 PC: 12d23 | Open file (Filename = 'TEST.EXE')
2018-12-25T12:04:32.725582809Z 63 PC: 12d40 | Read file or device (Read 26 bytes on handle 5)
2018-12-25T12:04:32.729627074Z 87 PC: 12ba5 | Get or set file date and time
2018-12-25T12:04:32.731121119Z 62 PC: 12baa | Close file
2018-12-25T12:04:32.737984194Z 67 PC: 12bb7 | Get or set file attributes
2018-12-25T12:04:32.747720269Z 79 PC: 12bc1 | Find next file (See above)
2018-12-25T12:04:32.75019839Z 59 PC: 12b91 | Change current directory
2018-12-25T12:04:32.759089823Z 59 PC: 12be2 | Change current directory
2018-12-25T12:04:32.767489206Z 78 PC: 12bc1 | Find first file (See above)
2018-12-25T12:04:32.778392428Z 67 PC: 12cf4 | Get or set file attributes (See above)
2018-12-25T12:04:32.782710556Z 67 PC: 12d13 | Get or set file attributes (See above)
2018-12-25T12:04:32.791811484Z 61 PC: 12d23 | Open file (See above)
2018-12-25T12:04:32.79929075Z 66 PC: 12c60 | Move file pointer
2018-12-25T12:04:32.800706701Z 66 PC: 12c7c | Move file pointer
2018-12-25T12:04:32.802013854Z 63 PC: 12c87 | Read file or device (Read 1 bytes on handle 5)
2018-12-25T12:04:32.808936157Z 66 PC: 12c60 | Move file pointer (See above)
2018-12-25T12:04:32.810212593Z 63 PC: 12caa | Read file or device (Read 3 bytes on handle 5)
2018-12-25T12:04:32.812782406Z 66 PC: 12c60 | Move file pointer (See above)
2018-12-25T12:04:32.814577917Z 66 PC: 12c60 | Move file pointer (See above)
2018-12-25T12:04:32.815802067Z 64 PC: 12cd3 | Write file or device (Write 3 bytes on handle 5)
2018-12-25T12:04:32.818421975Z 66 PC: 12c60 | Move file pointer (See above)
2018-12-25T12:04:32.820451528Z 44 PC: 12dfa | Get time 0x12dfa: mov byte ptr [bp + 0x40d], dl
0x12dfe: call 0x12e23
0x12e01: call 0x12e3a
0x12e04: mov cx, 0x40c
0x12e07: mov ah, 0x40
0x12e09: lea dx, word ptr [bp + 4]
0x12e0d: int 0x21
0x12e0f: call 0x12e3a
0x12e12: call 0x12e23
0x12e15: pop ax
0x12e16: mov byte ptr [bp + 0x210], al
0x12e1a: call 0x22b98
0x12e1d: call 0x22ba6
0x12e20: jmp 0x12bda
0x12e23: cld
0x12e24: push cs
0x12e25: pop es
0x12e26: mov ah, byte ptr [bp + 0x40d]
0x12e2a: mov cx, 0x38e
0x12e2d: lea si, word ptr [bp + 0x30]
2018-12-25T12:04:32.823072948Z 64 PC: 12e0f | Write file or device (Write 1036 bytes on handle 5)
2018-12-25T12:04:32.831822656Z 87 PC: 12ba5 | Get or set file date and time (See above)
2018-12-25T12:04:32.833678784Z 62 PC: 12baa | Close file (See above)
2018-12-25T12:04:32.840489663Z 67 PC: 12bb7 | Get or set file attributes (See above)
2018-12-25T12:04:32.847004768Z 59 PC: 12be2 | Change current directory (See above)
2018-12-25T12:04:32.850480025Z 37 PC: 12bf6 | Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T12:04:32.851757168Z 26 PC: 12c12 | Set disk transfer address
2018-12-25T12:04:32.852659604Z 76 PC: 12a44 | Terminate with return code (Return code = '164')

{"DateBased":true,"Day":1,"Month":7,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":8410,"SideJobID":0}

.

GIF

Syscalls:

Time Syscall Op Syscall Name
2018-12-25T12:04:32.686617484Z 26 PC: 12ab6 | Set disk transfer address
2018-12-25T12:04:32.688525259Z 71 PC: 12ac0 | Get current directory
2018-12-25T12:04:32.691346805Z 53 PC: 12ac5 | Get interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T12:04:32.692658156Z 37 PC: 12ad9 | Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T12:04:32.694160934Z 42 PC: 12adf | Get date 0x12adf: cmp dh, 7
0x12ae2: je 0x12ae7
0x12ae4: jmp 0x12b84
0x12ae7: cmp dl, 3
0x12aea: je 0x12aef
0x12aec: jmp 0x12b84
0x12aef: mov ax, 0x201
0x12af2: mov cx, 1
0x12af5: xor dx, dx
0x12af7: lea bx, word ptr [bp + 0x4f4]
0x12afb: int 0x13
0x12afd: mov ah, 0x3c
0x12aff: xor cx, cx
0x12b01: lea dx, word ptr [bp + 0x204]
0x12b05: int 0x21
0x12b07: jb 0x12b27
0x12b09: xchg ax, bx
0x12b0a: mov ah, 0x40
0x12b0c: mov cx, 0x200
0x12b0f: lea dx, word ptr [bp + 0x4f4]
2018-12-25T12:04:32.696204723Z 78 PC: 12bc1 | Find first file
2018-12-25T12:04:32.701943335Z 67 PC: 12cf4 | Get or set file attributes
2018-12-25T12:04:32.720680796Z 67 PC: 12d13 | Get or set file attributes
2018-12-25T12:04:32.738450151Z 61 PC: 12d23 | Open file (Filename = 'TEST.EXE')
2018-12-25T12:04:32.744009286Z 63 PC: 12d40 | Read file or device (Read 26 bytes on handle 5)
2018-12-25T12:04:32.748249215Z 87 PC: 12ba5 | Get or set file date and time
2018-12-25T12:04:32.749330092Z 62 PC: 12baa | Close file
2018-12-25T12:04:32.753655525Z 67 PC: 12bb7 | Get or set file attributes
2018-12-25T12:04:32.759663501Z 79 PC: 12bc1 | Find next file (See above)
2018-12-25T12:04:32.76137017Z 59 PC: 12b91 | Change current directory
2018-12-25T12:04:32.763796824Z 59 PC: 12be2 | Change current directory
2018-12-25T12:04:32.768969893Z 78 PC: 12bc1 | Find first file (See above)
2018-12-25T12:04:32.775580685Z 67 PC: 12cf4 | Get or set file attributes (See above)
2018-12-25T12:04:32.781865798Z 67 PC: 12d13 | Get or set file attributes (See above)
2018-12-25T12:04:32.789308002Z 61 PC: 12d23 | Open file (See above)
2018-12-25T12:04:32.796672066Z 66 PC: 12c60 | Move file pointer
2018-12-25T12:04:32.79792584Z 66 PC: 12c7c | Move file pointer
2018-12-25T12:04:32.799196773Z 63 PC: 12c87 | Read file or device (Read 1 bytes on handle 5)
2018-12-25T12:04:32.805502498Z 66 PC: 12c60 | Move file pointer (See above)
2018-12-25T12:04:32.806683379Z 63 PC: 12caa | Read file or device (Read 3 bytes on handle 5)
2018-12-25T12:04:32.808991842Z 66 PC: 12c60 | Move file pointer (See above)
2018-12-25T12:04:32.810665627Z 66 PC: 12c60 | Move file pointer (See above)
2018-12-25T12:04:32.811869584Z 64 PC: 12cd3 | Write file or device (Write 3 bytes on handle 5)
2018-12-25T12:04:32.814277023Z 66 PC: 12c60 | Move file pointer (See above)
2018-12-25T12:04:32.815826874Z 44 PC: 12dfa | Get time 0x12dfa: mov byte ptr [bp + 0x40d], dl
0x12dfe: call 0x12e23
0x12e01: call 0x12e3a
0x12e04: mov cx, 0x40c
0x12e07: mov ah, 0x40
0x12e09: lea dx, word ptr [bp + 4]
0x12e0d: int 0x21
0x12e0f: call 0x12e3a
0x12e12: call 0x12e23
0x12e15: pop ax
0x12e16: mov byte ptr [bp + 0x210], al
0x12e1a: call 0x22b98
0x12e1d: call 0x22ba6
0x12e20: jmp 0x12bda
0x12e23: cld
0x12e24: push cs
0x12e25: pop es
0x12e26: mov ah, byte ptr [bp + 0x40d]
0x12e2a: mov cx, 0x38e
0x12e2d: lea si, word ptr [bp + 0x30]
2018-12-25T12:04:32.817461848Z 64 PC: 12e0f | Write file or device (Write 1036 bytes on handle 5)
2018-12-25T12:04:32.822933762Z 87 PC: 12ba5 | Get or set file date and time (See above)
2018-12-25T12:04:32.824290714Z 62 PC: 12baa | Close file (See above)
2018-12-25T12:04:32.829194469Z 67 PC: 12bb7 | Get or set file attributes (See above)
2018-12-25T12:04:32.838896378Z 59 PC: 12be2 | Change current directory (See above)
2018-12-25T12:04:32.843255652Z 37 PC: 12bf6 | Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T12:04:32.844349842Z 26 PC: 12c12 | Set disk transfer address
2018-12-25T12:04:32.845325794Z 76 PC: 12a44 | Terminate with return code (Return code = '164')