{
	"id": "5678a604-0f53-468b-9ee7-1dae33b42969",
	"created_at": "2026-04-10T03:22:09.821733Z",
	"updated_at": "2026-04-10T13:12:45.488414Z",
	"deleted_at": null,
	"sha1_hash": "81c77a254f0645a17b6830876212f16dc48b7341",
	"title": "Quick analysis note about DealPly (Adware)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1291308,
	"plain_text": "Quick analysis note about DealPly (Adware)\r\nPublished: 2021-05-11 · Archived: 2026-04-10 03:19:04 UTC\r\n3 Votes\r\nOverview\r\nSome information about DealPly can be found here:\r\nDealPly adware abuses Microsoft, McAfee services to evade detection\r\nAdware.DealPly\r\nThe post focuses on the following main sections:\r\nUnpack wrapper/loader to get main Dll payload.\r\nDecrypt C2url and strings are used in the malware code.\r\nSample:\r\nSHA-256: 40584f79d109a18b1c4ea7e75a945324978652b6afcc9efbe62241717f0b4685\r\nUnpacking wrapper/loader to get main DLL payload\r\nMost of the DealPly loaders are coded in Delphi. When it runs without parameter, it only shows the following\r\nform:\r\nhttps://kienmanowar.wordpress.com/2021/05/11/quick-analysis-note-about-dealply-adware/\r\nPage 1 of 20\n\nWhen executing with parameters, it unpacks a DLL to allocated memory. This DLL will be mainly responsible for\r\nconnecting and interacting with C2. For unpacking, place breakpoint at VirtualAlloc , execute the program and\r\nfollow the allocated memory region. Keep watching until the loader unpack a new PE (which is a dll), but it was\r\ndestroyed all relevant information about DOS_HEADER and NT_HEADERS :\r\nDump and fix DOS_HEADER and NT_HEADERS will get the correct main Dll:\r\nhttps://kienmanowar.wordpress.com/2021/05/11/quick-analysis-note-about-dealply-adware/\r\nPage 2 of 20\n\nAnalysis of DLL payload\r\nDecrypt C2Url\r\nLoad the above dumped Dll file into IDA, go to the code of the Run function. Here, it calls f_main_proc\r\nfunction. The f_main_proc accepts the passed parameters, in which the third parameter is encoded C2.\r\nDiving into the code of f_main_proc will find the function responsible for performing the decoding of the\r\nmalware’s C2:\r\nhttps://kienmanowar.wordpress.com/2021/05/11/quick-analysis-note-about-dealply-adware/\r\nPage 3 of 20\n\nThe code at the f_tranform_c2Url function will recalculate the bytes of enC2Url :\r\nAfter completing the transform process, call to f_decrypt_c2Url function to perform decoding to C2. In essence,\r\nthe function f_decrypt_c2Url function will perform xor to decrypt, xor_key is calculated from the last 2\r\nbytes of the transformed enC2Url above:\r\nhttps://kienmanowar.wordpress.com/2021/05/11/quick-analysis-note-about-dealply-adware/\r\nPage 4 of 20\n\nWith all the above information and pseudo-code, I rewrote the code that performs decoding C2 in Python as\r\nfollows:\r\nimport numpy as np\r\n#----------------------------------------------------------------------\r\ndef calc_value(c, val_0x2C):\r\n \"\"\"\"\"\"\r\n tmp = val_0x2C - 0x2B\r\n if tmp:\r\n tmp2 = tmp - 2\r\n if tmp2:\r\n if (tmp2 == 1):\r\n c = c + 0x85\r\n else:\r\n c = c \u0026 0xFF\r\n else:\r\n c = c + 0x4B\r\n else:\r\n c = c - 0x30\r\n \r\n if (c \u003c 0 or c \u003e 0xFF):\r\n c = 0x3F\r\n \r\n return c\r\n#----------------------------------------------------------------------\r\ndef int_to_bytes(value, length):\r\n \"\"\"\"\"\"\r\nhttps://kienmanowar.wordpress.com/2021/05/11/quick-analysis-note-about-dealply-adware/\r\nPage 5 of 20\n\nresult = []\r\n for i in range(0, length):\r\n result.append(value \u003e\u003e (i * 8) \u0026 0xff)\r\n \r\n return result\r\n \r\n#----------------------------------------------------------------------\r\ndef decrypt_c2url(encUrl, xor_tbl):\r\n \"\"\"\"\"\"\r\n c2_url = \"\"\r\n dec_c2 = []\r\n j = 0\r\n len_c2 = len(encUrl)\r\n if len_c2 \u003e= 4:\r\n i = len_c2 / 4\r\n if (len_c2/4 -1 \u003e= 0):\r\n counter = len_c2/4\r\n while counter:\r\n for k in range(len(xor_tbl)):\r\n dec_c2.append(encUrl[j] ^ xor_tbl[j%len(xor_tbl)])\r\n j+=1\r\n counter-=1\r\n j = 0\r\n if (len_c2 \u003e= 4 *i +1):\r\n counter = len_c2 - 4 * i\r\n idx = 4 * i + 1\r\n \r\n while counter:\r\n dec_c2.append(encUrl[idx-1] ^ xor_tbl[j])\r\n j = (j + 1) % 4\r\n idx +=1\r\n counter-=1\r\n \r\n for i in dec_c2:\r\n c2_url += chr(i)\r\n \r\n return c2_url\r\n \r\n#----------------------------------------------------------------------\r\ndef main():\r\n \"\"\"\"\"\"\r\n C2_transform = [0] * len(encC2)\r\n tmp_tbl = []\r\n val_0x2C = 0x2C\r\nhttps://kienmanowar.wordpress.com/2021/05/11/quick-analysis-note-about-dealply-adware/\r\nPage 6 of 20\n\ni = 1\r\n j = 1\r\n \r\n while j \u003c= len(encC2):\r\n c = encC2[j -1]\r\n j+=1\r\n if ((c - 0x2B) \u003e= 4):\r\n calced_val = calc_value(c, val_0x2C)\r\n C2_transform[i-1] = calced_val\r\n i+=1\r\n elif (c == val_0x2C):\r\n if (j \u003e len(encC2)):\r\n break\r\n C2_transform[i-1] = encC2[j-1]\r\n i+=1\r\n j+=1\r\n else:\r\n val_0x2C = c\r\n C2_transform = np.trim_zeros(C2_transform)\r\n tmp_tbl = C2_transform[len(C2_transform)-2:len(C2_transform)]\r\n C2_transform = C2_transform[:len(C2_transform)-2]\r\n tmp_val = ((tmp_tbl[1] + (tmp_tbl[0] \u003c\u003c 8)) \u0026 0xF) + 0x10 * (tmp_tbl[1] \u0026 0xF0) + (((tmp_tbl[1] +\r\n xor_tbl = int_to_bytes(tmp_val, 4)\r\n \r\n print decrypt_c2url(C2_transform, xor_tbl)\r\nExecute the above script and check the results. As the result, this sample will connect to buluw[.]com :\r\nDecrypt strings\r\nAll strings used by malware are encrypted and only decrypt when needed. Through the analysis of the code will\r\nfind the function responsible for decoding:\r\nThe code at this function is as follows:\r\nhttps://kienmanowar.wordpress.com/2021/05/11/quick-analysis-note-about-dealply-adware/\r\nPage 7 of 20\n\nAs above picture, f_decrypt_string function will take as the argument of the address that contains the pointer to\r\nthe encrypted string (ex: off_41C174 ). The function responsible for performing the decryption is\r\nf_decrypt_str , which takes an additional parameter g_calc_tbl – this is table contains 256 elements, used for\r\nthe calculation. The code at f_decrypt_str function looks like this:\r\nBased on the pseudo-code analyzed above, I rewrote the idapython script that decodes all the strings as follows:\r\nimport idc\r\nimport idautils\r\nhttps://kienmanowar.wordpress.com/2021/05/11/quick-analysis-note-about-dealply-adware/\r\nPage 8 of 20\n\ndec_routine = 0x00414AA8\r\ncalc_tbl = [0x00, 0xD3, 0xBA, 0x30, 0xD7, 0xD8, 0xC1, 0xC9, 0xEB, 0x84, 0xAD, 0x88, 0x9C, 0x47, 0x74\r\n#----------------------------------------------------------------------\r\ndef get_encrypted_bytes(addr):\r\n \"\"\"\"\"\"\r\n enc_bytes = []\r\n enc_bytes_addr = idc.get_wide_dword(idc.get_operand_value(addr,1))\r\n \r\n while idc.get_wide_byte(enc_bytes_addr) != 0x0:\r\n enc_bytes.append(idc.get_wide_byte(enc_bytes_addr))\r\n enc_bytes_addr += 1\r\n \r\n return enc_bytes\r\n#----------------------------------------------------------------------\r\ndef decrypt(enc_str):\r\n \"\"\"\"\"\"\r\n plaint_t = \"\"\r\n decStr = [0] * len(enc_str)\r\n calc_tbl_val = calc_tbl[enc_str[0]]\r\n tmp1 = calc_tbl_val % 7\r\n tmp2 = calc_tbl_val % 9\r\n strLen = len(enc_str) - 1\r\n j = 2\r\n for i in range(strLen):\r\n c = calc_tbl[enc_str[j-1]] - tmp2 * (j - 1)\r\n decStr[j-1] = c \u0026 0xFF\r\n j+= 1\r\n \r\n for i in decStr[tmp1+1:]:\r\n plaint_t+= chr(i)\r\n \r\n return plaint_t\r\n#----------------------------------------------------------------------\r\ndef decrypt_strings(func_addr):\r\n \"\"\"\"\"\"\r\n for x in idautils.XrefsTo(func_addr, 0):\r\n org_addr = x.frm\r\n curr_addr = x.frm\r\n addr_minus_20 = curr_addr - 20\r\n \r\n while curr_addr \u003e= addr_minus_20:\r\n curr_addr = idc.prev_head(curr_addr)\r\n if 'edx' in idc.print_operand(curr_addr, 0) and idc.get_operand_type(curr_addr, 1) == idc\r\nhttps://kienmanowar.wordpress.com/2021/05/11/quick-analysis-note-about-dealply-adware/\r\nPage 9 of 20\n\nenc_bytes = get_encrypted_bytes(curr_addr)\r\n dec_str = decrypt(enc_bytes)\r\n print(\"org_addr: %s, decrypted string: %s\" % (hex(org_addr), dec_str))\r\n idc.set_cmt(org_addr, dec_str, 0)\r\n elif 'eax' in idc.print_operand(curr_addr, 0) and idc.get_operand_type(curr_addr, 1) == i\r\n enc_bytes = get_encrypted_bytes(curr_addr)\r\n dec_str = decrypt(enc_bytes)\r\n print(\"org_addr: %s, decrypted string: %s\" % (hex(org_addr), dec_str))\r\n idc.set_cmt(org_addr, dec_str, 0)\r\n \r\n#----------------------------------------------------------------------\r\ndef main():\r\n \"\"\"\"\"\"\r\n decrypt_strings(dec_routine)\r\nif __name__ == '__main__':\r\n main()\r\nExecuting the above script:\r\nAll the strings are decrypted:\r\norg_addr: 0x405529, decrypted string: IPHLPAPI.dll\r\norg_addr: 0x40555f, decrypted string: GetIfTable\r\norg_addr: 0x40558e, decrypted string: GetAdaptersInfo\r\norg_addr: 0x4055bd, decrypted string: GetNetworkParams\r\nhttps://kienmanowar.wordpress.com/2021/05/11/quick-analysis-note-about-dealply-adware/\r\nPage 10 of 20\n\norg_addr: 0x4059a1, decrypted string: 00155D\r\norg_addr: 0x4059c7, decrypted string: 0003FF\r\norg_addr: 0x4059ed, decrypted string: 0050F2\r\norg_addr: 0x405a13, decrypted string: 000D3A\r\norg_addr: 0x405a38, decrypted string: AZR\r\norg_addr: 0x405a51, decrypted string: 123139\r\norg_addr: 0x405a77, decrypted string: 22000A\r\norg_addr: 0x405a9c, decrypted string: AMZ\r\norg_addr: 0x405ab5, decrypted string: 000C29\r\norg_addr: 0x405adb, decrypted string: 000569\r\norg_addr: 0x405b01, decrypted string: 001C14\r\norg_addr: 0x405b27, decrypted string: 005056\r\norg_addr: 0x405b4c, decrypted string: VMW\r\norg_addr: 0x405b65, decrypted string: 001C42\r\norg_addr: 0x405b8a, decrypted string: PRL\r\norg_addr: 0x405ba3, decrypted string: 00163E\r\norg_addr: 0x405bc8, decrypted string: XEN\r\norg_addr: 0x405be1, decrypted string: 080027\r\norg_addr: 0x405c0c, decrypted string: VBX\r\norg_addr: 0x405cbd, decrypted string: VMW\r\norg_addr: 0x405ce2, decrypted string: XEN\r\norg_addr: 0x405d80, decrypted string: 00059A3C7800\r\norg_addr: 0x405da4, decrypted string: 000000\r\norg_addr: 0x405dc1, decrypted string: 000000\r\norg_addr: 0x405de6, decrypted string: 005345000000\r\norg_addr: 0x405e0a, decrypted string: 00F1D000F1D0\r\norg_addr: 0x405e2e, decrypted string: 00A0C6000000\r\norg_addr: 0x405e52, decrypted string: 000000000010\r\norg_addr: 0x405e76, decrypted string: 000000000030\r\norg_addr: 0x405e9a, decrypted string: 028037EC0200\r\norg_addr: 0x405ebe, decrypted string: FFFFFFF\r\norg_addr: 0x405edb, decrypted string: FFFFF\r\norg_addr: 0x406355, decrypted string: ldr1\r\norg_addr: 0x406398, decrypted string: ldr2\r\norg_addr: 0x406444, decrypted string: ShellExecuteA\r\norg_addr: 0x406461, decrypted string: shell32.dll\r\norg_addr: 0x4064d4, decrypted string: ShellExecuteExA\r\norg_addr: 0x4064f1, decrypted string: shell32.dll\r\norg_addr: 0x4069c6, decrypted string: wininet.dll\r\norg_addr: 0x4069fa, decrypted string: http://\r\norg_addr: 0x406a20, decrypted string: https://\r\norg_addr: 0x406a46, decrypted string: InternetOpenA\r\norg_addr: 0x406a72, decrypted string: InternetConnectA\r\norg_addr: 0x406a9e, decrypted string: HttpOpenRequestA\r\norg_addr: 0x406aca, decrypted string: HttpAddRequestHeadersA\r\norg_addr: 0x406af6, decrypted string: HttpSendRequestA\r\norg_addr: 0x406b22, decrypted string: HttpQueryInfoA\r\nhttps://kienmanowar.wordpress.com/2021/05/11/quick-analysis-note-about-dealply-adware/\r\nPage 11 of 20\n\norg_addr: 0x406b4e, decrypted string: InternetReadFile\r\norg_addr: 0x406b7a, decrypted string: InternetCloseHandle\r\norg_addr: 0x407369, decrypted string: POST\r\norg_addr: 0x4073a0, decrypted string: GET\r\norg_addr: 0x4074bb, decrypted string: Host:\r\norg_addr: 0x4074f8, decrypted string: Accept: */*\r\norg_addr: 0x407575, decrypted string: Host:\r\norg_addr: 0x4075ca, decrypted string: Accept:\r\norg_addr: 0x409145, decrypted string: kernel32.dll\r\norg_addr: 0x40916e, decrypted string: VirtualAlloc\r\norg_addr: 0x409235, decrypted string: $SIG\r\norg_addr: 0x409495, decrypted string: kernel32.dll\r\norg_addr: 0x4094be, decrypted string: VirtualAlloc\r\norg_addr: 0x409585, decrypted string: $SIG\r\norg_addr: 0x409700, decrypted string: Run\r\norg_addr: 0x409947, decrypted string: RunEX\r\norg_addr: 0x409982, decrypted string: https://\r\norg_addr: 0x40999d, decrypted string: http://\r\norg_addr: 0x4099fe, decrypted string: Run\r\norg_addr: 0x409af4, decrypted string: $UpdateSRV\r\norg_addr: 0x409b21, decrypted string: $UpdateLTR\r\norg_addr: 0x409c53, decrypted string: Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\\r\norg_addr: 0x409c73, decrypted string: Hidden\r\norg_addr: 0x409cd0, decrypted string: HideFileExt\r\norg_addr: 0x409d2a, decrypted string: ShowSuperHidden\r\norg_addr: 0x409e5c, decrypted string: CD_UIDC\r\norg_addr: 0x409e80, decrypted string: CD_ins_guid\r\norg_addr: 0x409ea4, decrypted string: CD_host_guid\r\norg_addr: 0x409ec8, decrypted string: CD_iv\r\norg_addr: 0x409eec, decrypted string: CD_aflt\r\norg_addr: 0x409f16, decrypted string: a\r\norg_addr: 0x409f40, decrypted string: aflt\r\norg_addr: 0x409f64, decrypted string: uidp\r\norg_addr: 0x409f88, decrypted string: IDT\r\norg_addr: 0x409fbd, decrypted string: UID=\r\norg_addr: 0x409ff3, decrypted string: \u0026UID2=\r\norg_addr: 0x40a02c, decrypted string: \u0026UIDC=\r\norg_addr: 0x40a067, decrypted string: \u0026mguid=\r\norg_addr: 0x40a0b0, decrypted string: \u0026uidp=\r\norg_addr: 0x40a0eb, decrypted string: \u0026AppName=\r\norg_addr: 0x40a116, decrypted string: \u0026State=\r\norg_addr: 0x40a151, decrypted string: \u0026ins_guid=\r\norg_addr: 0x40a17c, decrypted string: \u0026host_guid=\r\norg_addr: 0x40a1b7, decrypted string: \u0026iv=\r\norg_addr: 0x40a1e2, decrypted string: \u0026aflt=\r\norg_addr: 0x40a21d, decrypted string: \u0026IDT=\r\norg_addr: 0x40a248, decrypted string: \u0026IRTYP=\r\nhttps://kienmanowar.wordpress.com/2021/05/11/quick-analysis-note-about-dealply-adware/\r\nPage 12 of 20\n\norg_addr: 0x40a286, decrypted string: \u0026IRVER=\r\norg_addr: 0x40a2c3, decrypted string: \u0026OS=\r\norg_addr: 0x40a308, decrypted string: \u0026SV=\r\norg_addr: 0x40a359, decrypted string: \u0026lptp=1\r\norg_addr: 0x40a38b, decrypted string: \u0026lptp=0\r\norg_addr: 0x40a3c1, decrypted string: \u0026btry=1\r\norg_addr: 0x40a3f3, decrypted string: \u0026btry=0\r\norg_addr: 0x40a426, decrypted string: \u0026VMC=\r\norg_addr: 0x40a46f, decrypted string: \u0026REG=\r\norg_addr: 0x40a4a0, decrypted string: CDATA\r\norg_addr: 0x40a4da, decrypted string: SOFTWARE\\\r\norg_addr: 0x40a564, decrypted string: \u0026Src=\r\norg_addr: 0x40a5b6, decrypted string: src.dat\r\norg_addr: 0x40a642, decrypted string: \u0026Lang=\r\norg_addr: 0x40a690, decrypted string: \u0026Lang=\r\norg_addr: 0x40a6de, decrypted string: \u0026ADVF=\r\norg_addr: 0x40a734, decrypted string: \u0026FS=\r\norg_addr: 0x40a79f, decrypted string: \u0026sha=\r\norg_addr: 0x40a7f6, decrypted string: \u0026st_dt=\r\norg_addr: 0x40a867, decrypted string: \u0026ParamALL=\r\norg_addr: 0x40a9e9, decrypted string: UnNM\r\norg_addr: 0x40accc, decrypted string: Date:\r\norg_addr: 0x40af23, decrypted string: \u0026Admin=1\r\norg_addr: 0x40af49, decrypted string: \u0026Admin=0\r\norg_addr: 0x40af70, decrypted string: \u0026Idle=\r\norg_addr: 0x40afac, decrypted string: \u0026TDY=\r\norg_addr: 0x40afe3, decrypted string: \u0026LTDY=\r\norg_addr: 0x40b028, decrypted string: \u0026TDYC=\r\norg_addr: 0x40b0c3, decrypted string: https://\r\norg_addr: 0x40b0e4, decrypted string: http://\r\norg_addr: 0x40b158, decrypted string: Location:\r\norg_addr: 0x40b377, decrypted string: script\r\norg_addr: 0x40b3ac, decrypted string: Flags=\r\norg_addr: 0x40b3ed, decrypted string: CHECK\r\norg_addr: 0x40b589, decrypted string: DFN\r\norg_addr: 0x40b81a, decrypted string: UpdTask.exe\r\norg_addr: 0x40b840, decrypted string: SynHelper.exe\r\norg_addr: 0x40b866, decrypted string: Updane.exe\r\norg_addr: 0x40b892, decrypted string: Sync.exe\r\norg_addr: 0x40b8be, decrypted string: ProductUpdt.exe\r\norg_addr: 0x40b8ea, decrypted string: SyncTask.exe\r\norg_addr: 0x40b913, decrypted string: SyncVersion.exe\r\norg_addr: 0x40b956, decrypted string: .exe\r\norg_addr: 0x40ba7e, decrypted string: https://\r\norg_addr: 0x40ba99, decrypted string: http://\r\norg_addr: 0x40bae0, decrypted string: CR\r\norg_addr: 0x40bb1a, decrypted string: CD\r\nhttps://kienmanowar.wordpress.com/2021/05/11/quick-analysis-note-about-dealply-adware/\r\nPage 13 of 20\n\norg_addr: 0x40bb94, decrypted string: \u0026uid=\r\norg_addr: 0x40bbc3, decrypted string: \u0026ins_guid=\r\norg_addr: 0x40bbf2, decrypted string: \u0026host_guid=\r\norg_addr: 0x40bc21, decrypted string: \u0026iv=\r\norg_addr: 0x40bc59, decrypted string: \u0026AL=\r\norg_addr: 0x40bc8e, decrypted string: a\r\norg_addr: 0x40bcc4, decrypted string: aflt\r\norg_addr: 0x40bcf4, decrypted string: CD_UIDC\r\norg_addr: 0x40bd27, decrypted string: CD_ins_guid\r\norg_addr: 0x40bd5a, decrypted string: CD_host_guid\r\norg_addr: 0x40bd8d, decrypted string: CD_iv\r\norg_addr: 0x40bdc0, decrypted string: CD_aflt\r\norg_addr: 0x40bdf3, decrypted string: CD_AL\r\norg_addr: 0x40be3b, decrypted string: CD\r\norg_addr: 0x40be8a, decrypted string: Local_Inst_DT\r\norg_addr: 0x40bebb, decrypted string: SNR_FAIL\r\norg_addr: 0x40bef0, decrypted string: URL\r\norg_addr: 0x40bf23, decrypted string: AppName\r\norg_addr: 0x40bf59, decrypted string: uidp\r\norg_addr: 0x40bf9c, decrypted string: UDAT0\r\norg_addr: 0x40bfee, decrypted string: UDAT0\r\norg_addr: 0x40c021, decrypted string: RKL\r\norg_addr: 0x40c06c, decrypted string: RVL\r\norg_addr: 0x40c0ad, decrypted string: RKL\r\norg_addr: 0x40c0e0, decrypted string: RVL\r\norg_addr: 0x40c113, decrypted string: RLM\r\norg_addr: 0x40c158, decrypted string: RLM\r\norg_addr: 0x40c1eb, decrypted string: Inst_DT\r\norg_addr: 0x40c221, decrypted string: IRVER\r\norg_addr: 0x40c26d, decrypted string: IRBVER\r\norg_addr: 0x40c2b5, decrypted string: IRTYP\r\norg_addr: 0x40c2f4, decrypted string: TodayFN\r\norg_addr: 0x40c327, decrypted string: TodayCntFN\r\norg_addr: 0x40c906, decrypted string: SDT\r\norg_addr: 0x40c9c2, decrypted string: Src\r\norg_addr: 0x40c9fc, decrypted string: src.dat\r\norg_addr: 0x40cad5, decrypted string: .del\r\norg_addr: 0x40cbb2, decrypted string: nosct\r\norg_addr: 0x40cd96, decrypted string: noun\r\norg_addr: 0x40cde6, decrypted string: /Uninstall\r\norg_addr: 0x40ce13, decrypted string: DelSelfDir\r\norg_addr: 0x40ce40, decrypted string: /GID=\r\norg_addr: 0x40ce9d, decrypted string: ProdName\r\norg_addr: 0x40cefd, decrypted string: prod.dat\r\norg_addr: 0x40d01e, decrypted string: BkScript\r\norg_addr: 0x40d13f, decrypted string: Flags=\r\norg_addr: 0x40d19c, decrypted string: Install\r\nhttps://kienmanowar.wordpress.com/2021/05/11/quick-analysis-note-about-dealply-adware/\r\nPage 14 of 20\n\norg_addr: 0x40d52b, decrypted string: UReg\r\norg_addr: 0x40d610, decrypted string: UFile\r\norg_addr: 0x40d6a8, decrypted string: UDAT\r\norg_addr: 0x40d749, decrypted string: UExFile\r\norg_addr: 0x40d8e2, decrypted string: Uninstall\r\norg_addr: 0x40d918, decrypted string: Update Service\r\norg_addr: 0x40d93a, decrypted string: Uninstall completed successfully. Please restart your computer\r\norg_addr: 0x40d9a3, decrypted string: \u0026APN=\r\norg_addr: 0x40d9cb, decrypted string: \u0026S=Uninstall\u0026IDT=\r\norg_addr: 0x40d9f3, decrypted string: IDT\r\norg_addr: 0x40da3c, decrypted string: \u0026DT=\r\norg_addr: 0x40da67, decrypted string: \u0026IRTYP=\r\norg_addr: 0x40daa5, decrypted string: \u0026IRVER=\r\norg_addr: 0x40dad2, decrypted string: \u0026UID=\r\norg_addr: 0x40db49, decrypted string: BkScript\r\norg_addr: 0x40dba9, decrypted string: config.dat\r\norg_addr: 0x40dd1c, decrypted string: DelSelfDir\r\norg_addr: 0x40dea9, decrypted string: Update Service\r\norg_addr: 0x40decb, decrypted string: Uninstall\r\norg_addr: 0x40defd, decrypted string: update process?\r\norg_addr: 0x40df56, decrypted string: Uninstall must Reboot your computer to delete files.\r\norg_addr: 0x40df75, decrypted string: Continue with uninstall?\r\norg_addr: 0x40dfec, decrypted string: Uninstall necessario riavviare il computer per eliminare i file\r\norg_addr: 0x40e00b, decrypted string: Continuare con la disinstallazione?\r\norg_addr: 0x40e02f, decrypted string: Désinstaller devez redémarrer votre ordinateur pour supprimer\r\norg_addr: 0x40e04e, decrypted string: Continuer la désinstallation?\r\norg_addr: 0x40e072, decrypted string: Uninstall müssen Starten Sie Ihren Computer, um Dateien zu lös\r\norg_addr: 0x40e091, decrypted string: Fahren Sie mit dem deinstallieren?\r\norg_addr: 0x40e0b5, decrypted string: Uninstall deve reiniciar o computador para apagar arquivos.\r\norg_addr: 0x40e0d4, decrypted string: Continue com a desinstalação?\r\norg_addr: 0x40e0f5, decrypted string: Desinstalación debe reiniciar el equipo para eliminar archivos\r\norg_addr: 0x40e114, decrypted string: Continúe con la desinstalación?\r\norg_addr: 0x40e135, decrypted string: Desinstalación debe reiniciar el equipo para eliminar archivos\r\norg_addr: 0x40e154, decrypted string: Continúe con la desinstalación?\r\norg_addr: 0x40e17b, decrypted string: Update Service\r\norg_addr: 0x40e1e0, decrypted string: noun\r\norg_addr: 0x40e210, decrypted string: GID\r\norg_addr: 0x40e2a9, decrypted string: /DoUninstall\r\norg_addr: 0x40e2d2, decrypted string: /Uninstall\r\norg_addr: 0x40e497, decrypted string: $UpdateSRV\r\norg_addr: 0x40e4e1, decrypted string: $UpdateLTR\r\norg_addr: 0x40e66d, decrypted string: script\r\norg_addr: 0x40e6a2, decrypted string: Flags=\r\norg_addr: 0x40e6e3, decrypted string: CHECK\r\norg_addr: 0x40eac4, decrypted string: Update\r\norg_addr: 0x40eadf, decrypted string: Install\r\norg_addr: 0x40eaf8, decrypted string: Flags=\r\nhttps://kienmanowar.wordpress.com/2021/05/11/quick-analysis-note-about-dealply-adware/\r\nPage 15 of 20\n\norg_addr: 0x40eb50, decrypted string: IDT\r\norg_addr: 0x40ec04, decrypted string: https://\r\norg_addr: 0x40ec1f, decrypted string: http://\r\norg_addr: 0x40ec41, decrypted string: /sanity/\r\norg_addr: 0x40ef16, decrypted string: Ver\r\norg_addr: 0x40ef38, decrypted string: DT:\r\norg_addr: 0x40ef69, decrypted string: Ver:\r\norg_addr: 0x40ef9f, decrypted string: BVer:\r\norg_addr: 0x40efd5, decrypted string: Typ:\r\norg_addr: 0x40f14e, decrypted string: nx\r\norg_addr: 0x41045c, decrypted string: user32.dll\r\norg_addr: 0x41048e, decrypted string: OemToCharA\r\norg_addr: 0x41092a, decrypted string: kernel32.dll\r\norg_addr: 0x410966, decrypted string: GetVersionExA\r\norg_addr: 0x410a6b, decrypted string: ProductName\r\norg_addr: 0x410a93, decrypted string: \\Software\\Microsoft\\Windows NT\\CurrentVersion\\\r\norg_addr: 0x410e2c, decrypted string: kernel32.dll\r\norg_addr: 0x410e54, decrypted string: GetFileSize\r\norg_addr: 0x411055, decrypted string: \u003c?xml version=\"1.0\" encoding=\"UTF-16\"?\u003e\r\norg_addr: 0x411075, decrypted string: \u003cTask version=\"1.1\" xmlns=\"http://schemas.microsoft.com/windows\r\norg_addr: 0x4110ae, decrypted string: \u003cRegistrationInfo\u003e\r\norg_addr: 0x4110dd, decrypted string: \u003cDescription\u003e\u003c#DESC#\u003e\u003c/Description\u003e\r\norg_addr: 0x41110c, decrypted string: \u003c/RegistrationInfo\u003e\r\norg_addr: 0x41113a, decrypted string: \u003c#DESC#\u003e\r\norg_addr: 0x411171, decrypted string: \u003c#TRIGGERS#\u003e\r\norg_addr: 0x4111a0, decrypted string: \u003cPrincipals\u003e\r\norg_addr: 0x4111cf, decrypted string: \u003cPrincipal id=\"Author\"\u003e\r\norg_addr: 0x411202, decrypted string: \u003cUserId\u003eSYSTEM\u003c/UserId\u003e\r\norg_addr: 0x411233, decrypted string: \u003cLogonType\u003eInteractiveToken\u003c/LogonType\u003e\r\norg_addr: 0x411260, decrypted string: \u003cRunLevel\u003eHighestAvailable\u003c/\r\norg_addr: 0x411291, decrypted string: \u003cRunLevel\u003eLeastPrivilege\u003c/RunLevel\u003e\r\norg_addr: 0x4112c0, decrypted string: \u003c/Principal\u003e\r\norg_addr: 0x4112ef, decrypted string: \u003c/Principals\u003e\r\norg_addr: 0x411327, decrypted string: \u003cSettings\u003e\r\norg_addr: 0x411362, decrypted string: \u003cEnabled\u003etrue\u003c/Enabled\u003e\r\norg_addr: 0x41139d, decrypted string: \u003cHidden\u003efalse\u003c/Hidden\u003e\r\norg_addr: 0x4113d8, decrypted string: \u003cRunOnlyIfIdle\u003efalse\u003c/RunOnlyIfIdle\u003e\r\norg_addr: 0x411413, decrypted string: \u003cWakeToRun\u003efalse\u003c/WakeToRun\u003e\r\norg_addr: 0x41144e, decrypted string: \u003cExecutionTimeLimit\u003ePT0S\u003c/ExecutionTimeLimit\u003e\r\norg_addr: 0x411489, decrypted string: \u003cDisallowStartIfOnBatteries\u003efalse\u003c/DisallowStartIfOnBatteries\u003e\r\norg_addr: 0x4114c4, decrypted string: \u003cStopIfGoingOnBatteries\u003efalse\u003c/StopIfGoingOnBatteries\u003e\r\norg_addr: 0x4114ff, decrypted string: \u003cPriority\u003e5\u003c/Priority\u003e\r\norg_addr: 0x41153a, decrypted string: \u003c/Settings\u003e\r\norg_addr: 0x411575, decrypted string: \u003cActions Context=\"Author\"\u003e\r\norg_addr: 0x4115b0, decrypted string: \u003cExec\u003e\r\norg_addr: 0x4115eb, decrypted string: \u003cCommand\u003e\u003c#PROGRAM#\u003e\u003c/Command\u003e\r\norg_addr: 0x411626, decrypted string: \u003cArguments\u003e\u003c#PARAMS#\u003e\u003c/Arguments\u003e\r\nhttps://kienmanowar.wordpress.com/2021/05/11/quick-analysis-note-about-dealply-adware/\r\nPage 16 of 20\n\norg_addr: 0x411661, decrypted string: \u003c/Exec\u003e\r\norg_addr: 0x41169c, decrypted string: \u003c/Actions\u003e\r\norg_addr: 0x4116d7, decrypted string: \u003c/Task\u003e\r\norg_addr: 0x411729, decrypted string: \u003c#PROGRAM#\u003e\r\norg_addr: 0x41176f, decrypted string: \u003c#PARAMS#\u003e\r\norg_addr: 0x411833, decrypted string: \u003cTriggers\u003e\r\norg_addr: 0x411854, decrypted string: \u003cCalendarTrigger\u003e\r\norg_addr: 0x411899, decrypted string: \u003cRepetition\u003e\r\norg_addr: 0x4118ca, decrypted string: \u003cInterval\u003ePT\r\norg_addr: 0x4118f3, decrypted string: M\u003c/Interval\u003e\r\norg_addr: 0x411924, decrypted string: \u003cDuration\u003eP1D\u003c/Duration\u003e\r\norg_addr: 0x411955, decrypted string: \u003cStopAtDurationEnd\u003efalse\u003c/StopAtDurationEnd\u003e\r\norg_addr: 0x411986, decrypted string: \u003c/Repetition\u003e\r\norg_addr: 0x4119ab, decrypted string: \u003cStartBoundary\u003e\u003c#YEAR#\u003e-\u003c#MONTH#\u003e-\u003c#DAY#\u003eT\u003c#HOUR#\u003e:\u003c#MI\r\norg_addr: 0x4119dc, decrypted string: \u003cEnabled\u003etrue\u003c/Enabled\u003e\r\norg_addr: 0x411a17, decrypted string: \u003cScheduleByDay\u003e\r\norg_addr: 0x411a4e, decrypted string: \u003cDaysInterval\u003e1\u003c/DaysInterval\u003e\r\norg_addr: 0x411a88, decrypted string: \u003c/ScheduleByDay\u003e\r\norg_addr: 0x411ac5, decrypted string: \u003c/CalendarTrigger\u003e\r\norg_addr: 0x411b02, decrypted string: \u003c/Triggers\u003e\r\norg_addr: 0x411c13, decrypted string: \u003c#HOUR#\u003e\r\norg_addr: 0x411c5d, decrypted string: \u003c#MIN#\u003e\r\norg_addr: 0x411ca7, decrypted string: \u003c#SEC#\u003e\r\norg_addr: 0x411cf1, decrypted string: \u003c#YEAR#\u003e\r\norg_addr: 0x411d3b, decrypted string: \u003c#MONTH#\u003e\r\norg_addr: 0x411d85, decrypted string: \u003c#DAY#\u003e\r\norg_addr: 0x411de6, decrypted string: \u003c#TRIGGERS#\u003e\r\norg_addr: 0x411e94, decrypted string: SYSTEM\r\norg_addr: 0x411f7a, decrypted string: Tasks\\\r\norg_addr: 0x411fd5, decrypted string: *.job\r\norg_addr: 0x412461, decrypted string: /interactive\r\norg_addr: 0x4124af, decrypted string: at.exe\r\norg_addr: 0x412551, decrypted string: Tasks\\\r\norg_addr: 0x4125a8, decrypted string: AT\r\norg_addr: 0x4125d3, decrypted string: .job\r\norg_addr: 0x41292f, decrypted string: .xml\r\norg_addr: 0x41296e, decrypted string: /create /F /tn\r\norg_addr: 0x412992, decrypted string: \" /xml \"\r\norg_addr: 0x4129c7, decrypted string: schtasks.exe\r\norg_addr: 0x412a25, decrypted string: /create /F /tn\r\norg_addr: 0x412a52, decrypted string: \" /tr \"\r\norg_addr: 0x412a97, decrypted string: /sc DAILY /ST\r\norg_addr: 0x412aea, decrypted string: /RU SYSTEM\r\norg_addr: 0x412b29, decrypted string: /IT\r\norg_addr: 0x412b62, decrypted string: schtasks.exe\r\norg_addr: 0x412d34, decrypted string: /query /xml\r\norg_addr: 0x412d51, decrypted string: schtasks.exe\r\nhttps://kienmanowar.wordpress.com/2021/05/11/quick-analysis-note-about-dealply-adware/\r\nPage 17 of 20\n\norg_addr: 0x412d9c, decrypted string: \u003c/Task\u003e\r\norg_addr: 0x412e04, decrypted string: \u003c/Command\u003e\r\norg_addr: 0x412e21, decrypted string: \u003cCommand\u003e\r\norg_addr: 0x412ea5, decrypted string: /delete /F /TN \"\r\norg_addr: 0x412eda, decrypted string: schtasks.exe\r\norg_addr: 0x412f28, decrypted string: \u003c/Task\u003e\r\norg_addr: 0x413074, decrypted string: SHGetSpecialFolderPathW\r\norg_addr: 0x413091, decrypted string: shell32.dll\r\norg_addr: 0x413c5a, decrypted string: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\\r\norg_addr: 0x413d72, decrypted string: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\\r\norg_addr: 0x413d8e, decrypted string: Uninstall\r\norg_addr: 0x413e1b, decrypted string: DisplayIcon\r\norg_addr: 0x413e6a, decrypted string: DisplayName\r\norg_addr: 0x413eb9, decrypted string: UninstallString\r\norg_addr: 0x413f20, decrypted string: Publisher\r\norg_addr: 0x414108, decrypted string: cmd.exe /Q /D /c del \"\r\norg_addr: 0x414178, decrypted string: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce\r\norg_addr: 0x4141ad, decrypted string: cmd.exe /Q /D /c del \"\r\norg_addr: 0x41421d, decrypted string: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce\r\norg_addr: 0x414636, decrypted string: GetPwrCapabilities\r\norg_addr: 0x414824, decrypted string: open\r\norg_addr: 0x4163d5, decrypted string: 000000000000\r\norg_addr: 0x416449, decrypted string: 000000\r\norg_addr: 0x4164cd, decrypted string: FFFFFFFF\r\norg_addr: 0x4169f5, decrypted string: dir\r\norg_addr: 0x416a16, decrypted string: /S \"\r\norg_addr: 0x416a35, decrypted string: *.*\r\norg_addr: 0x416a6b, decrypted string: TIMEOUT\r\norg_addr: 0x416bc2, decrypted string: cmd.exe\r\norg_addr: 0x416bf3, decrypted string: /d /c\r\norg_addr: 0x416c1c, decrypted string: \u0026 cmd /d /c del\r\norg_addr: 0x416c71, decrypted string: CreateProcessA\r\norg_addr: 0x416c9a, decrypted string: kernel32.dll\r\norg_addr: 0x416dad, decrypted string: cmd.exe\r\norg_addr: 0x416dde, decrypted string: /d /c\r\norg_addr: 0x416e0d, decrypted string: \u0026 cmd /d /c rd /S /Q\r\norg_addr: 0x416e6e, decrypted string: CreateProcessA\r\norg_addr: 0x416e97, decrypted string: kernel32.dll\r\norg_addr: 0x4170a7, decrypted string: MachineGuid\r\norg_addr: 0x4170cf, decrypted string: Software\\Microsoft\\Cryptography\r\norg_addr: 0x417116, decrypted string: MachineGuid\r\norg_addr: 0x41713e, decrypted string: Software\\Microsoft\\Cryptography\r\norg_addr: 0x417253, decrypted string: user32.dll\r\norg_addr: 0x41727f, decrypted string: GetLastInputInfo\r\norg_addr: 0x41734c, decrypted string: GetUserDefaultUILanguage\r\norg_addr: 0x417369, decrypted string: kernel32.dll\r\norg_addr: 0x417a58, decrypted string: .ini\r\nhttps://kienmanowar.wordpress.com/2021/05/11/quick-analysis-note-about-dealply-adware/\r\nPage 18 of 20\n\norg_addr: 0x417ab4, decrypted string: .txt\r\norg_addr: 0x417ad7, decrypted string: .txt\r\norg_addr: 0x4182d5, decrypted string: cmd.exe\r\norg_addr: 0x418376, decrypted string: 1.dat\r\norg_addr: 0x4183a9, decrypted string: 2.dat\r\norg_addr: 0x418448, decrypted string: /d /c\r\norg_addr: 0x4184a3, decrypted string: cmd /d /c copy /B /Y /V\r\norg_addr: 0x4184fd, decrypted string: \u0026 cmd /d /c del \"\r\norg_addr: 0x418528, decrypted string: \" \u0026 cmd /d /c del \"\r\norg_addr: 0x41857b, decrypted string: CreateProcessA\r\norg_addr: 0x4185a4, decrypted string: kernel32.dll\r\norg_addr: 0x41878f, decrypted string: psapi.dll\r\norg_addr: 0x4187ce, decrypted string: GetModuleFileNameExA\r\norg_addr: 0x4187f6, decrypted string: EnumProcessModules\r\norg_addr: 0x418d30, decrypted string: mnprstghklbcdf\r\norg_addr: 0x418d56, decrypted string: iuaaooee\r\norg_addr: 0x41a1e7, decrypted string: kernel32.dll\r\norg_addr: 0x41a20d, decrypted string: FreeLibrary\r\norg_addr: 0x41a237, decrypted string: EnterCriticalSection\r\norg_addr: 0x41a261, decrypted string: LeaveCriticalSection\r\norg_addr: 0x41a28b, decrypted string: WaitForSingleObject\r\norg_addr: 0x41a2b5, decrypted string: CloseHandle\r\norg_addr: 0x41a2df, decrypted string: GetExitCodeProcess\r\norg_addr: 0x41a309, decrypted string: GetSystemDirectoryW\r\norg_addr: 0x41a333, decrypted string: GetModuleFileNameW\r\norg_addr: 0x41a35d, decrypted string: DeleteFileA\r\norg_addr: 0x41a387, decrypted string: CreateFileW\r\norg_addr: 0x41a3b1, decrypted string: CreateFileA\r\norg_addr: 0x41a3db, decrypted string: ReadFile\r\norg_addr: 0x41a405, decrypted string: WriteFile\r\norg_addr: 0x41a42f, decrypted string: SetFilePointer\r\norg_addr: 0x41a459, decrypted string: MoveFileW\r\norg_addr: 0x41a48c, decrypted string: MoveFileA\r\norg_addr: 0x41a4c2, decrypted string: FindFirstFileW\r\norg_addr: 0x41a4f8, decrypted string: FindNextFileW\r\norg_addr: 0x41a52e, decrypted string: FindClose\r\norg_addr: 0x41a564, decrypted string: CreateProcessW\r\norg_addr: 0x41a59a, decrypted string: CreateProcessA\r\norg_addr: 0x41a5d0, decrypted string: GetStartupInfoA\r\norg_addr: 0x41a606, decrypted string: CopyFileW\r\norg_addr: 0x41a63c, decrypted string: GetTempPathA\r\norg_addr: 0x41a6cf, decrypted string: PeekNamedPipe\r\norg_addr: 0x41a705, decrypted string: CreatePipe\r\norg_addr: 0x41a73b, decrypted string: GetFileAttributesW\r\norg_addr: 0x41a771, decrypted string: GetShortPathNameA\r\norg_addr: 0x41a7a7, decrypted string: GetShortPathNameW\r\norg_addr: 0x41a7dd, decrypted string: GetComputerNameA\r\nhttps://kienmanowar.wordpress.com/2021/05/11/quick-analysis-note-about-dealply-adware/\r\nPage 19 of 20\n\norg_addr: 0x41a813, decrypted string: CreateDirectoryA\r\norg_addr: 0x41a849, decrypted string: CreateDirectoryW\r\norg_addr: 0x41a87f, decrypted string: RemoveDirectoryA\r\norg_addr: 0x41a8b5, decrypted string: GetCurrentProcess\r\norg_addr: 0x41a8eb, decrypted string: SetFileTime\r\norg_addr: 0x41a921, decrypted string: GetVolumeInformationA\r\norg_addr: 0x41a957, decrypted string: GetTickCount\r\norg_addr: 0x41a98d, decrypted string: ExitThread\r\norg_addr: 0x41a9c3, decrypted string: CreateThread\r\norg_addr: 0x41a9f9, decrypted string: ResumeThread\r\norg_addr: 0x41aa2f, decrypted string: GetLocalTime\r\norg_addr: 0x41aa65, decrypted string: OpenProcess\r\norg_addr: 0x41aa9b, decrypted string: GetSystemPowerStatus\r\norg_addr: 0x41aad1, decrypted string: GetWindowsDirectoryW\r\norg_addr: 0x41ab07, decrypted string: SetFileAttributesW\r\norg_addr: 0x41ab3d, decrypted string: Sleep\r\norg_addr: 0x41ab73, decrypted string: TerminateProcess\r\norg_addr: 0x41ac02, decrypted string: advapi32.dll\r\norg_addr: 0x41ac28, decrypted string: RegCloseKey\r\norg_addr: 0x41ac52, decrypted string: RegOpenKeyExW\r\norg_addr: 0x41ac7c, decrypted string: RegDeleteKeyW\r\norg_addr: 0x41aca6, decrypted string: RegCreateKeyExW\r\norg_addr: 0x41acd0, decrypted string: RegSetValueExW\r\norg_addr: 0x41acfa, decrypted string: RegQueryValueExW\r\norg_addr: 0x41ad24, decrypted string: RegDeleteValueW\r\norg_addr: 0x41ad4e, decrypted string: RegEnumValueW\r\norg_addr: 0x41ad78, decrypted string: RegEnumKeyW\r\norg_addr: 0x41ae05, decrypted string: user32.dll\r\norg_addr: 0x41ae2b, decrypted string: GetWindowThreadProcessId\r\norg_addr: 0x41ae55, decrypted string: EnumWindows\r\norg_addr: 0x41ae7f, decrypted string: WaitForInputIdle\r\norg_addr: 0x41afaa, decrypted string: kernel32.dll\r\norg_addr: 0x41afeb, decrypted string: LoadLibraryA\r\norg_addr: 0x41b01c, decrypted string: GetProcAddress\r\nEnd.\r\nm4n0w4r\r\nSource: https://kienmanowar.wordpress.com/2021/05/11/quick-analysis-note-about-dealply-adware/\r\nhttps://kienmanowar.wordpress.com/2021/05/11/quick-analysis-note-about-dealply-adware/\r\nPage 20 of 20",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://kienmanowar.wordpress.com/2021/05/11/quick-analysis-note-about-dealply-adware/"
	],
	"report_names": [
		"quick-analysis-note-about-dealply-adware"
	],
	"threat_actors": [],
	"ts_created_at": 1775791329,
	"ts_updated_at": 1775826765,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/81c77a254f0645a17b6830876212f16dc48b7341.pdf",
		"text": "https://archive.orkl.eu/81c77a254f0645a17b6830876212f16dc48b7341.txt",
		"img": "https://archive.orkl.eu/81c77a254f0645a17b6830876212f16dc48b7341.jpg"
	}
}