Quick analysis note about DealPly (Adware)
Overview
Some information about DealPly can be found here:
The post focuses on the following main sections:
- Unpack wrapper/loader to get main Dll payload.
- Decrypt C2url and strings are used in the malware code.
Sample:
SHA-256: 40584f79d109a18b1c4ea7e75a945324978652b6afcc9efbe62241717f0b4685
Unpacking wrapper/loader to get main DLL payload
Most of the DealPly loaders are coded in Delphi. When it runs without parameter, it only shows the following form:
When executing with parameters, it unpacks a DLL to allocated memory. This DLL will be mainly responsible for connecting and interacting with C2. For unpacking, place breakpoint at VirtualAlloc
, execute the program and follow the allocated memory region. Keep watching until the loader unpack a new PE ( which is a dll), but it was destroyed all relevant information about DOS_HEADER
and NT_HEADERS
:
Dump and fix DOS_HEADER
and NT_HEADERS
will get the correct main Dll:
Analysis of DLL payload
Decrypt C2Url
Load the above dumped Dll file into IDA, go to the code of the Run
function. Here, it calls f_main_proc
function. The f_main_proc
accepts the passed parameters, in which the third parameter is encoded C2.
Diving into the code of f_main_proc
will find the function responsible for performing the decoding of the malware’s C2:
The code at the f_tranform_c2Url
function will recalculate the bytes of enC2Url
:
After completing the transform process, call to f_decrypt_c2Url
function to perform decoding to C2. In essence, the function f_decrypt_c2Url
function will perform to decrypt, xor_key
is calculated from the last 2 bytes of the transformed enC2Url
above:
With all the above information and pseudo-code, I rewrote the code that performs decoding C2 in Python as follows:
Execute the above script and check the results. As the result, this sample will connect to buluw[.]com
:
Decrypt strings
All strings used by malware are encrypted and only decrypt when needed. Through the analysis of the code will find the function responsible for decoding:
The code at this function is as follows:
As above picture, f_decrypt_string
function will take as the argument of the address that contains the pointer to the encrypted string (ex: off_41C174
). The function responsible for performing the decryption is f_decrypt_str
, which takes an additional parameter g_calc_tbl
- this is table contains 256 elements, used for the calculation. The code at f_decrypt_str
function looks like this:
Based on the pseudo-code analyzed above, I rewrote the idapython script that decodes all the strings as follows:
Executing the above script:
All the strings are decrypted:
org_addr: 0x405529, decrypted string: IPHLPAPI.dllorg_addr: 0x40555f, decrypted string: GetIfTableorg_addr: 0x40558e, decrypted string: GetAdaptersInfoorg_addr: 0x4055bd, decrypted string: GetNetworkParamsorg_addr: 0x4059a1, decrypted string: 00155Dorg_addr: 0x4059c7, decrypted string: 0003FForg_addr: 0x4059ed, decrypted string: 0050F2org_addr: 0x405a13, decrypted string: 000D3Aorg_addr: 0x405a38, decrypted string: AZRorg_addr: 0x405a51, decrypted string: 123139org_addr: 0x405a77, decrypted string: 22000Aorg_addr: 0x405a9c, decrypted string: AMZorg_addr: 0x405ab5, decrypted string: 000C29org_addr: 0x405adb, decrypted string: 000569org_addr: 0x405b01, decrypted string: 001C14org_addr: 0x405b27, decrypted string: 005056org_addr: 0x405b4c, decrypted string: VMWorg_addr: 0x405b65, decrypted string: 001C42org_addr: 0x405b8a, decrypted string: PRLorg_addr: 0x405ba3, decrypted string: 00163Eorg_addr: 0x405bc8, decrypted string: XENorg_addr: 0x405be1, decrypted string: 080027org_addr: 0x405c0c, decrypted string: VBXorg_addr: 0x405cbd, decrypted string: VMWorg_addr: 0x405ce2, decrypted string: XENorg_addr: 0x405d80, decrypted string: 00059A3C7800org_addr: 0x405da4, decrypted string: 000000org_addr: 0x405dc1, decrypted string: 000000org_addr: 0x405de6, decrypted string: 005345000000org_addr: 0x405e0a, decrypted string: 00F1D000F1D0org_addr: 0x405e2e, decrypted string: 00A0C6000000org_addr: 0x405e52, decrypted string: 000000000010org_addr: 0x405e76, decrypted string: 000000000030org_addr: 0x405e9a, decrypted string: 028037EC0200org_addr: 0x405ebe, decrypted string: FFFFFFForg_addr: 0x405edb, decrypted string: FFFFForg_addr: 0x406355, decrypted string: ldr1org_addr: 0x406398, decrypted string: ldr2org_addr: 0x406444, decrypted string: ShellExecuteAorg_addr: 0x406461, decrypted string: shell32.dllorg_addr: 0x4064d4, decrypted string: ShellExecuteExAorg_addr: 0x4064f1, decrypted string: shell32.dllorg_addr: 0x4069c6, decrypted string: wininet.dllorg_addr: 0x4069fa, decrypted string: http://org_addr: 0x406a20, decrypted string: https://org_addr: 0x406a46, decrypted string: InternetOpenAorg_addr: 0x406a72, decrypted string: InternetConnectAorg_addr: 0x406a9e, decrypted string: HttpOpenRequestAorg_addr: 0x406aca, decrypted string: HttpAddRequestHeadersAorg_addr: 0x406af6, decrypted string: HttpSendRequestAorg_addr: 0x406b22, decrypted string: HttpQueryInfoAorg_addr: 0x406b4e, decrypted string: InternetReadFileorg_addr: 0x406b7a, decrypted string: InternetCloseHandleorg_addr: 0x407369, decrypted string: POSTorg_addr: 0x4073a0, decrypted string: GETorg_addr: 0x4074bb, decrypted string: Host:org_addr: 0x4074f8, decrypted string: Accept: */*org_addr: 0x407575, decrypted string: Host:org_addr: 0x4075ca, decrypted string: Accept:org_addr: 0x409145, decrypted string: kernel32.dllorg_addr: 0x40916e, decrypted string: VirtualAllocorg_addr: 0x409235, decrypted string: $SIGorg_addr: 0x409495, decrypted string: kernel32.dllorg_addr: 0x4094be, decrypted string: VirtualAllocorg_addr: 0x409585, decrypted string: $SIGorg_addr: 0x409700, decrypted string: Runorg_addr: 0x409947, decrypted string: RunEXorg_addr: 0x409982, decrypted string: https://org_addr: 0x40999d, decrypted string: http://org_addr: 0x4099fe, decrypted string: Runorg_addr: 0x409af4, decrypted string: $UpdateSRVorg_addr: 0x409b21, decrypted string: $UpdateLTRorg_addr: 0x409c53, decrypted string: Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\org_addr: 0x409c73, decrypted string: Hiddenorg_addr: 0x409cd0, decrypted string: HideFileExtorg_addr: 0x409d2a, decrypted string: ShowSuperHiddenorg_addr: 0x409e5c, decrypted string: CD_UIDCorg_addr: 0x409e80, decrypted string: CD_ins_guidorg_addr: 0x409ea4, decrypted string: CD_host_guidorg_addr: 0x409ec8, decrypted string: CD_ivorg_addr: 0x409eec, decrypted string: CD_afltorg_addr: 0x409f16, decrypted string: aorg_addr: 0x409f40, decrypted string: afltorg_addr: 0x409f64, decrypted string: uidporg_addr: 0x409f88, decrypted string: IDTorg_addr: 0x409fbd, decrypted string: UID=org_addr: 0x409ff3, decrypted string: &UID2=org_addr: 0x40a02c, decrypted string: &UIDC=org_addr: 0x40a067, decrypted string: &mguid=org_addr: 0x40a0b0, decrypted string: &uidp=org_addr: 0x40a0eb, decrypted string: &AppName=org_addr: 0x40a116, decrypted string: &State=org_addr: 0x40a151, decrypted string: &ins_guid=org_addr: 0x40a17c, decrypted string: &host_guid=org_addr: 0x40a1b7, decrypted string: &iv=org_addr: 0x40a1e2, decrypted string: &aflt=org_addr: 0x40a21d, decrypted string: &IDT=org_addr: 0x40a248, decrypted string: &IRTYP=org_addr: 0x40a286, decrypted string: &IRVER=org_addr: 0x40a2c3, decrypted string: &OS=org_addr: 0x40a308, decrypted string: &SV=org_addr: 0x40a359, decrypted string: &lptp=1org_addr: 0x40a38b, decrypted string: &lptp=0org_addr: 0x40a3c1, decrypted string: &btry=1org_addr: 0x40a3f3, decrypted string: &btry=0org_addr: 0x40a426, decrypted string: &VMC=org_addr: 0x40a46f, decrypted string: ®=org_addr: 0x40a4a0, decrypted string: CDATAorg_addr: 0x40a4da, decrypted string: SOFTWARE\org_addr: 0x40a564, decrypted string: &Src=org_addr: 0x40a5b6, decrypted string: src.datorg_addr: 0x40a642, decrypted string: &Lang=org_addr: 0x40a690, decrypted string: &Lang=org_addr: 0x40a6de, decrypted string: &ADVF=org_addr: 0x40a734, decrypted string: &FS=org_addr: 0x40a79f, decrypted string: &sha=org_addr: 0x40a7f6, decrypted string: &st_dt=org_addr: 0x40a867, decrypted string: &ParamALL=org_addr: 0x40a9e9, decrypted string: UnNMorg_addr: 0x40accc, decrypted string: Date:org_addr: 0x40af23, decrypted string: &Admin=1org_addr: 0x40af49, decrypted string: &Admin=0org_addr: 0x40af70, decrypted string: &Idle=org_addr: 0x40afac, decrypted string: &TDY=org_addr: 0x40afe3, decrypted string: <DY=org_addr: 0x40b028, decrypted string: &TDYC=org_addr: 0x40b0c3, decrypted string: https://org_addr: 0x40b0e4, decrypted string: http://org_addr: 0x40b158, decrypted string: Location:org_addr: 0x40b377, decrypted string: scriptorg_addr: 0x40b3ac, decrypted string: Flags=org_addr: 0x40b3ed, decrypted string: CHECKorg_addr: 0x40b589, decrypted string: DFNorg_addr: 0x40b81a, decrypted string: UpdTask.exeorg_addr: 0x40b840, decrypted string: SynHelper.exeorg_addr: 0x40b866, decrypted string: Updane.exeorg_addr: 0x40b892, decrypted string: Sync.exeorg_addr: 0x40b8be, decrypted string: ProductUpdt.exeorg_addr: 0x40b8ea, decrypted string: SyncTask.exeorg_addr: 0x40b913, decrypted string: SyncVersion.exeorg_addr: 0x40b956, decrypted string: .exeorg_addr: 0x40ba7e, decrypted string: https://org_addr: 0x40ba99, decrypted string: http://org_addr: 0x40bae0, decrypted string: CRorg_addr: 0x40bb1a, decrypted string: CDorg_addr: 0x40bb94, decrypted string: &uid=org_addr: 0x40bbc3, decrypted string: &ins_guid=org_addr: 0x40bbf2, decrypted string: &host_guid=org_addr: 0x40bc21, decrypted string: &iv=org_addr: 0x40bc59, decrypted string: &AL=org_addr: 0x40bc8e, decrypted string: aorg_addr: 0x40bcc4, decrypted string: afltorg_addr: 0x40bcf4, decrypted string: CD_UIDCorg_addr: 0x40bd27, decrypted string: CD_ins_guidorg_addr: 0x40bd5a, decrypted string: CD_host_guidorg_addr: 0x40bd8d, decrypted string: CD_ivorg_addr: 0x40bdc0, decrypted string: CD_afltorg_addr: 0x40bdf3, decrypted string: CD_ALorg_addr: 0x40be3b, decrypted string: CDorg_addr: 0x40be8a, decrypted string: Local_Inst_DTorg_addr: 0x40bebb, decrypted string: SNR_FAILorg_addr: 0x40bef0, decrypted string: URLorg_addr: 0x40bf23, decrypted string: AppNameorg_addr: 0x40bf59, decrypted string: uidporg_addr: 0x40bf9c, decrypted string: UDAT0org_addr: 0x40bfee, decrypted string: UDAT0org_addr: 0x40c021, decrypted string: RKLorg_addr: 0x40c06c, decrypted string: RVLorg_addr: 0x40c0ad, decrypted string: RKLorg_addr: 0x40c0e0, decrypted string: RVLorg_addr: 0x40c113, decrypted string: RLMorg_addr: 0x40c158, decrypted string: RLMorg_addr: 0x40c1eb, decrypted string: Inst_DTorg_addr: 0x40c221, decrypted string: IRVERorg_addr: 0x40c26d, decrypted string: IRBVERorg_addr: 0x40c2b5, decrypted string: IRTYPorg_addr: 0x40c2f4, decrypted string: TodayFNorg_addr: 0x40c327, decrypted string: TodayCntFNorg_addr: 0x40c906, decrypted string: SDTorg_addr: 0x40c9c2, decrypted string: Srcorg_addr: 0x40c9fc, decrypted string: src.datorg_addr: 0x40cad5, decrypted string: .delorg_addr: 0x40cbb2, decrypted string: nosctorg_addr: 0x40cd96, decrypted string: nounorg_addr: 0x40cde6, decrypted string: /Uninstallorg_addr: 0x40ce13, decrypted string: DelSelfDirorg_addr: 0x40ce40, decrypted string: /GID=org_addr: 0x40ce9d, decrypted string: ProdNameorg_addr: 0x40cefd, decrypted string: prod.datorg_addr: 0x40d01e, decrypted string: BkScriptorg_addr: 0x40d13f, decrypted string: Flags=org_addr: 0x40d19c, decrypted string: Installorg_addr: 0x40d52b, decrypted string: URegorg_addr: 0x40d610, decrypted string: UFileorg_addr: 0x40d6a8, decrypted string: UDATorg_addr: 0x40d749, decrypted string: UExFileorg_addr: 0x40d8e2, decrypted string: Uninstallorg_addr: 0x40d918, decrypted string: Update Serviceorg_addr: 0x40d93a, decrypted string: Uninstall completed successfully. Please restart your computer to clean up files.org_addr: 0x40d9a3, decrypted string: &APN=org_addr: 0x40d9cb, decrypted string: &S=Uninstall&IDT=org_addr: 0x40d9f3, decrypted string: IDTorg_addr: 0x40da3c, decrypted string: &DT=org_addr: 0x40da67, decrypted string: &IRTYP=org_addr: 0x40daa5, decrypted string: &IRVER=org_addr: 0x40dad2, decrypted string: &UID=org_addr: 0x40db49, decrypted string: BkScriptorg_addr: 0x40dba9, decrypted string: config.datorg_addr: 0x40dd1c, decrypted string: DelSelfDirorg_addr: 0x40dea9, decrypted string: Update Serviceorg_addr: 0x40decb, decrypted string: Uninstallorg_addr: 0x40defd, decrypted string: update process?org_addr: 0x40df56, decrypted string: Uninstall must Reboot your computer to delete files.org_addr: 0x40df75, decrypted string: Continue with uninstall?org_addr: 0x40dfec, decrypted string: Uninstall necessario riavviare il computer per eliminare i file.org_addr: 0x40e00b, decrypted string: Continuare con la disinstallazione?org_addr: 0x40e02f, decrypted string: Désinstaller devez redémarrer votre ordinateur pour supprimer les fichiers.org_addr: 0x40e04e, decrypted string: Continuer la désinstallation?org_addr: 0x40e072, decrypted string: Uninstall müssen Starten Sie Ihren Computer, um Dateien zu löschen.org_addr: 0x40e091, decrypted string: Fahren Sie mit dem deinstallieren?org_addr: 0x40e0b5, decrypted string: Uninstall deve reiniciar o computador para apagar arquivos.org_addr: 0x40e0d4, decrypted string: Continue com a desinstalação?org_addr: 0x40e0f5, decrypted string: Desinstalación debe reiniciar el equipo para eliminar archivos.org_addr: 0x40e114, decrypted string: Continúe con la desinstalación?org_addr: 0x40e135, decrypted string: Desinstalación debe reiniciar el equipo para eliminar archivos.org_addr: 0x40e154, decrypted string: Continúe con la desinstalación?org_addr: 0x40e17b, decrypted string: Update Serviceorg_addr: 0x40e1e0, decrypted string: nounorg_addr: 0x40e210, decrypted string: GIDorg_addr: 0x40e2a9, decrypted string: /DoUninstallorg_addr: 0x40e2d2, decrypted string: /Uninstallorg_addr: 0x40e497, decrypted string: $UpdateSRVorg_addr: 0x40e4e1, decrypted string: $UpdateLTRorg_addr: 0x40e66d, decrypted string: scriptorg_addr: 0x40e6a2, decrypted string: Flags=org_addr: 0x40e6e3, decrypted string: CHECKorg_addr: 0x40eac4, decrypted string: Updateorg_addr: 0x40eadf, decrypted string: Installorg_addr: 0x40eaf8, decrypted string: Flags=org_addr: 0x40eb50, decrypted string: IDTorg_addr: 0x40ec04, decrypted string: https://org_addr: 0x40ec1f, decrypted string: http://org_addr: 0x40ec41, decrypted string: /sanity/org_addr: 0x40ef16, decrypted string: Verorg_addr: 0x40ef38, decrypted string: DT:org_addr: 0x40ef69, decrypted string: Ver:org_addr: 0x40ef9f, decrypted string: BVer:org_addr: 0x40efd5, decrypted string: Typ:org_addr: 0x40f14e, decrypted string: nxorg_addr: 0x41045c, decrypted string: user32.dllorg_addr: 0x41048e, decrypted string: OemToCharAorg_addr: 0x41092a, decrypted string: kernel32.dllorg_addr: 0x410966, decrypted string: GetVersionExAorg_addr: 0x410a6b, decrypted string: ProductNameorg_addr: 0x410a93, decrypted string: \Software\Microsoft\Windows NT\CurrentVersion\org_addr: 0x410e2c, decrypted string: kernel32.dllorg_addr: 0x410e54, decrypted string: GetFileSizeorg_addr: 0x411055, decrypted string: <?xml version="1.0" encoding="UTF-16"?>org_addr: 0x411075, decrypted string: <Task version="1.1" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">org_addr: 0x4110ae, decrypted string: <RegistrationInfo>org_addr: 0x4110dd, decrypted string: <Description><#DESC#></Description>org_addr: 0x41110c, decrypted string: </RegistrationInfo>org_addr: 0x41113a, decrypted string: <#DESC#>org_addr: 0x411171, decrypted string: <#TRIGGERS#>org_addr: 0x4111a0, decrypted string: <Principals>org_addr: 0x4111cf, decrypted string: <Principal id="Author">org_addr: 0x411202, decrypted string: <UserId>SYSTEM</UserId>org_addr: 0x411233, decrypted string: <LogonType>InteractiveToken</LogonType>org_addr: 0x411260, decrypted string: <RunLevel>HighestAvailable</org_addr: 0x411291, decrypted string: <RunLevel>LeastPrivilege</RunLevel>org_addr: 0x4112c0, decrypted string: </Principal>org_addr: 0x4112ef, decrypted string: </Principals>org_addr: 0x411327, decrypted string: <Settings>org_addr: 0x411362, decrypted string: <Enabled>true</Enabled>org_addr: 0x41139d, decrypted string: <Hidden>false</Hidden>org_addr: 0x4113d8, decrypted string: <RunOnlyIfIdle>false</RunOnlyIfIdle>org_addr: 0x411413, decrypted string: <WakeToRun>false</WakeToRun>org_addr: 0x41144e, decrypted string: <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>org_addr: 0x411489, decrypted string: <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>org_addr: 0x4114c4, decrypted string: <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>org_addr: 0x4114ff, decrypted string: <Priority>5</Priority>org_addr: 0x41153a, decrypted string: </Settings>org_addr: 0x411575, decrypted string: <Actions Context="Author">org_addr: 0x4115b0, decrypted string: <Exec>org_addr: 0x4115eb, decrypted string: <Command><#PROGRAM#></Command>org_addr: 0x411626, decrypted string: <Arguments><#PARAMS#></Arguments>org_addr: 0x411661, decrypted string: </Exec>org_addr: 0x41169c, decrypted string: </Actions>org_addr: 0x4116d7, decrypted string: </Task>org_addr: 0x411729, decrypted string: <#PROGRAM#>org_addr: 0x41176f, decrypted string: <#PARAMS#>org_addr: 0x411833, decrypted string: <Triggers>org_addr: 0x411854, decrypted string: <CalendarTrigger>org_addr: 0x411899, decrypted string: <Repetition>org_addr: 0x4118ca, decrypted string: <Interval>PTorg_addr: 0x4118f3, decrypted string: M</Interval>org_addr: 0x411924, decrypted string: <Duration>P1D</Duration>org_addr: 0x411955, decrypted string: <StopAtDurationEnd>false</StopAtDurationEnd>org_addr: 0x411986, decrypted string: </Repetition>org_addr: 0x4119ab, decrypted string: <StartBoundary><#YEAR#>-<#MONTH#>-<#DAY#>T<#HOUR#>:<#MIorg_addr: 0x4119dc, decrypted string: <Enabled>true</Enabled>org_addr: 0x411a17, decrypted string: <ScheduleByDay>org_addr: 0x411a4e, decrypted string: <DaysInterval>1</DaysInterval>org_addr: 0x411a88, decrypted string: </ScheduleByDay>org_addr: 0x411ac5, decrypted string: </CalendarTrigger>org_addr: 0x411b02, decrypted string: </Triggers>org_addr: 0x411c13, decrypted string: <#HOUR#>org_addr: 0x411c5d, decrypted string: <#MIN#>org_addr: 0x411ca7, decrypted string: <#SEC#>org_addr: 0x411cf1, decrypted string: <#YEAR#>org_addr: 0x411d3b, decrypted string: <#MONTH#>org_addr: 0x411d85, decrypted string: <#DAY#>org_addr: 0x411de6, decrypted string: <#TRIGGERS#>org_addr: 0x411e94, decrypted string: SYSTEMorg_addr: 0x411f7a, decrypted string: Tasks\org_addr: 0x411fd5, decrypted string: *.joborg_addr: 0x412461, decrypted string: /interactiveorg_addr: 0x4124af, decrypted string: at.exeorg_addr: 0x412551, decrypted string: Tasks\org_addr: 0x4125a8, decrypted string: ATorg_addr: 0x4125d3, decrypted string: .joborg_addr: 0x41292f, decrypted string: .xmlorg_addr: 0x41296e, decrypted string: /create /F /tnorg_addr: 0x412992, decrypted string: " /xml "org_addr: 0x4129c7, decrypted string: schtasks.exeorg_addr: 0x412a25, decrypted string: /create /F /tnorg_addr: 0x412a52, decrypted string: " /tr "org_addr: 0x412a97, decrypted string: /sc DAILY /STorg_addr: 0x412aea, decrypted string: /RU SYSTEMorg_addr: 0x412b29, decrypted string: /ITorg_addr: 0x412b62, decrypted string: schtasks.exeorg_addr: 0x412d34, decrypted string: /query /xmlorg_addr: 0x412d51, decrypted string: schtasks.exeorg_addr: 0x412d9c, decrypted string: </Task>org_addr: 0x412e04, decrypted string: </Command>org_addr: 0x412e21, decrypted string: <Command>org_addr: 0x412ea5, decrypted string: /delete /F /TN "org_addr: 0x412eda, decrypted string: schtasks.exeorg_addr: 0x412f28, decrypted string: </Task>org_addr: 0x413074, decrypted string: SHGetSpecialFolderPathWorg_addr: 0x413091, decrypted string: shell32.dllorg_addr: 0x413c5a, decrypted string: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\org_addr: 0x413d72, decrypted string: SOFTWARE\Microsoft\Windows\CurrentVersion\org_addr: 0x413d8e, decrypted string: Uninstallorg_addr: 0x413e1b, decrypted string: DisplayIconorg_addr: 0x413e6a, decrypted string: DisplayNameorg_addr: 0x413eb9, decrypted string: UninstallStringorg_addr: 0x413f20, decrypted string: Publisherorg_addr: 0x414108, decrypted string: cmd.exe /Q /D /c del "org_addr: 0x414178, decrypted string: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceorg_addr: 0x4141ad, decrypted string: cmd.exe /Q /D /c del "org_addr: 0x41421d, decrypted string: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceorg_addr: 0x414636, decrypted string: GetPwrCapabilitiesorg_addr: 0x414824, decrypted string: openorg_addr: 0x4163d5, decrypted string: 000000000000org_addr: 0x416449, decrypted string: 000000org_addr: 0x4164cd, decrypted string: FFFFFFFForg_addr: 0x4169f5, decrypted string: dirorg_addr: 0x416a16, decrypted string: /S "org_addr: 0x416a35, decrypted string: *.*org_addr: 0x416a6b, decrypted string: TIMEOUTorg_addr: 0x416bc2, decrypted string: cmd.exeorg_addr: 0x416bf3, decrypted string: /d /corg_addr: 0x416c1c, decrypted string: & cmd /d /c delorg_addr: 0x416c71, decrypted string: CreateProcessAorg_addr: 0x416c9a, decrypted string: kernel32.dllorg_addr: 0x416dad, decrypted string: cmd.exeorg_addr: 0x416dde, decrypted string: /d /corg_addr: 0x416e0d, decrypted string: & cmd /d /c rd /S /Qorg_addr: 0x416e6e, decrypted string: CreateProcessAorg_addr: 0x416e97, decrypted string: kernel32.dllorg_addr: 0x4170a7, decrypted string: MachineGuidorg_addr: 0x4170cf, decrypted string: Software\Microsoft\Cryptographyorg_addr: 0x417116, decrypted string: MachineGuidorg_addr: 0x41713e, decrypted string: Software\Microsoft\Cryptographyorg_addr: 0x417253, decrypted string: user32.dllorg_addr: 0x41727f, decrypted string: GetLastInputInfoorg_addr: 0x41734c, decrypted string: GetUserDefaultUILanguageorg_addr: 0x417369, decrypted string: kernel32.dllorg_addr: 0x417a58, decrypted string: .iniorg_addr: 0x417ab4, decrypted string: .txtorg_addr: 0x417ad7, decrypted string: .txtorg_addr: 0x4182d5, decrypted string: cmd.exeorg_addr: 0x418376, decrypted string: 1.datorg_addr: 0x4183a9, decrypted string: 2.datorg_addr: 0x418448, decrypted string: /d /corg_addr: 0x4184a3, decrypted string: cmd /d /c copy /B /Y /Vorg_addr: 0x4184fd, decrypted string: & cmd /d /c del "org_addr: 0x418528, decrypted string: " & cmd /d /c del "org_addr: 0x41857b, decrypted string: CreateProcessAorg_addr: 0x4185a4, decrypted string: kernel32.dllorg_addr: 0x41878f, decrypted string: psapi.dllorg_addr: 0x4187ce, decrypted string: GetModuleFileNameExAorg_addr: 0x4187f6, decrypted string: EnumProcessModulesorg_addr: 0x418d30, decrypted string: mnprstghklbcdforg_addr: 0x418d56, decrypted string: iuaaooeeorg_addr: 0x41a1e7, decrypted string: kernel32.dllorg_addr: 0x41a20d, decrypted string: FreeLibraryorg_addr: 0x41a237, decrypted string: EnterCriticalSectionorg_addr: 0x41a261, decrypted string: LeaveCriticalSectionorg_addr: 0x41a28b, decrypted string: WaitForSingleObjectorg_addr: 0x41a2b5, decrypted string: CloseHandleorg_addr: 0x41a2df, decrypted string: GetExitCodeProcessorg_addr: 0x41a309, decrypted string: GetSystemDirectoryWorg_addr: 0x41a333, decrypted string: GetModuleFileNameWorg_addr: 0x41a35d, decrypted string: DeleteFileAorg_addr: 0x41a387, decrypted string: CreateFileWorg_addr: 0x41a3b1, decrypted string: CreateFileAorg_addr: 0x41a3db, decrypted string: ReadFileorg_addr: 0x41a405, decrypted string: WriteFileorg_addr: 0x41a42f, decrypted string: SetFilePointerorg_addr: 0x41a459, decrypted string: MoveFileWorg_addr: 0x41a48c, decrypted string: MoveFileAorg_addr: 0x41a4c2, decrypted string: FindFirstFileWorg_addr: 0x41a4f8, decrypted string: FindNextFileWorg_addr: 0x41a52e, decrypted string: FindCloseorg_addr: 0x41a564, decrypted string: CreateProcessWorg_addr: 0x41a59a, decrypted string: CreateProcessAorg_addr: 0x41a5d0, decrypted string: GetStartupInfoAorg_addr: 0x41a606, decrypted string: CopyFileWorg_addr: 0x41a63c, decrypted string: GetTempPathAorg_addr: 0x41a6cf, decrypted string: PeekNamedPipeorg_addr: 0x41a705, decrypted string: CreatePipeorg_addr: 0x41a73b, decrypted string: GetFileAttributesWorg_addr: 0x41a771, decrypted string: GetShortPathNameAorg_addr: 0x41a7a7, decrypted string: GetShortPathNameWorg_addr: 0x41a7dd, decrypted string: GetComputerNameAorg_addr: 0x41a813, decrypted string: CreateDirectoryAorg_addr: 0x41a849, decrypted string: CreateDirectoryWorg_addr: 0x41a87f, decrypted string: RemoveDirectoryAorg_addr: 0x41a8b5, decrypted string: GetCurrentProcessorg_addr: 0x41a8eb, decrypted string: SetFileTimeorg_addr: 0x41a921, decrypted string: GetVolumeInformationAorg_addr: 0x41a957, decrypted string: GetTickCountorg_addr: 0x41a98d, decrypted string: ExitThreadorg_addr: 0x41a9c3, decrypted string: CreateThreadorg_addr: 0x41a9f9, decrypted string: ResumeThreadorg_addr: 0x41aa2f, decrypted string: GetLocalTimeorg_addr: 0x41aa65, decrypted string: OpenProcessorg_addr: 0x41aa9b, decrypted string: GetSystemPowerStatusorg_addr: 0x41aad1, decrypted string: GetWindowsDirectoryWorg_addr: 0x41ab07, decrypted string: SetFileAttributesWorg_addr: 0x41ab3d, decrypted string: Sleeporg_addr: 0x41ab73, decrypted string: TerminateProcessorg_addr: 0x41ac02, decrypted string: advapi32.dllorg_addr: 0x41ac28, decrypted string: RegCloseKeyorg_addr: 0x41ac52, decrypted string: RegOpenKeyExWorg_addr: 0x41ac7c, decrypted string: RegDeleteKeyWorg_addr: 0x41aca6, decrypted string: RegCreateKeyExWorg_addr: 0x41acd0, decrypted string: RegSetValueExWorg_addr: 0x41acfa, decrypted string: RegQueryValueExWorg_addr: 0x41ad24, decrypted string: RegDeleteValueWorg_addr: 0x41ad4e, decrypted string: RegEnumValueWorg_addr: 0x41ad78, decrypted string: RegEnumKeyWorg_addr: 0x41ae05, decrypted string: user32.dllorg_addr: 0x41ae2b, decrypted string: GetWindowThreadProcessIdorg_addr: 0x41ae55, decrypted string: EnumWindowsorg_addr: 0x41ae7f, decrypted string: WaitForInputIdleorg_addr: 0x41afaa, decrypted string: kernel32.dllorg_addr: 0x41afeb, decrypted string: LoadLibraryAorg_addr: 0x41b01c, decrypted string: GetProcAddress
End.
m4n0w4r