{
	"id": "eace2136-5b9e-450e-9f36-82e835fcac4f",
	"created_at": "2026-04-06T00:07:47.884154Z",
	"updated_at": "2026-04-10T03:21:33.614734Z",
	"deleted_at": null,
	"sha1_hash": "a469959c939427300816d1a5d46d9640a870a6a6",
	"title": "PikaBot Is Back With a Vengeance",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 163802,
	"plain_text": "PikaBot Is Back With a Vengeance\r\nPublished: 2023-11-12 · Archived: 2026-04-05 22:34:00 UTC\r\nimport idaapi, idc, idautils\r\nstrings = [{ \"a1\":0xF9AB9F, \"a2\":0xFA6A29, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFA6A29, \"value\":'''GetUserDefaultLangID''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF93662, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF93662, \"value\":'''CreateMutexW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF93672, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF93672, \"value\":'''GetLastError''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9C5B6, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9C5B6, \"value\":'''WaitForSingleObjectEx''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9B8E2, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9B8E2, \"value\":'''MultiByteToWideChar''' },\r\n{ \"a1\":0xFA66F5, \"a2\":0x15D4E6AA, \"value\":'''C:\\\\''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFA6710, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFA6710, \"value\":'''GetVolumeInformationW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF953C5, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF953C5, \"value\":'''GetComputerNameW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF950B5, \"value\":'''Advapi32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF950B5, \"value\":'''GetUserNameW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF94F62, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF94F62, \"value\":'''GetProductInfo''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9B8E2, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9B8E2, \"value\":'''MultiByteToWideChar''' },\r\n{ \"a1\":0xF94F6C, \"a2\":0x0, \"value\":'''\\%d''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF94F80, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF94F80, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9B8E2, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9B8E2, \"value\":'''MultiByteToWideChar''' },\r\n{ \"a1\":0xFA6787, \"a2\":0x15D4E6AA, \"value\":'''\\%s\\\\\\%s|\\%s''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFA67A0, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFA67A0, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9B8E2, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9B8E2, \"value\":'''MultiByteToWideChar''' },\r\n{ \"a1\":0xFA685D, \"a2\":0x15D4E6AA, \"value\":'''\\%07lX\\%09lX\\%lu''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFA6878, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFA6878, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9371D, \"a2\":0x3157537A, \"value\":'''\\%s''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9373B, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9373B, \"value\":'''wsprintfA''' },\r\n{ \"a1\":0xF93762, \"a2\":0x3157537A, \"value\":'''\u0026''' },\r\nhttps://research.openanalysis.net/pikabot/debugging/string%20decryption/2023/11/12/new-pikabot.html\r\nPage 1 of 26\n\n{ \"a1\":0xF9AB9F, \"a2\":0xF94B7E, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF94B7E, \"value\":'''IsWow64Process''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF94F62, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF94F62, \"value\":'''GetProductInfo''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9B8E2, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9B8E2, \"value\":'''MultiByteToWideChar''' },\r\n{ \"a1\":0xF94F6C, \"a2\":0x31366B33, \"value\":'''\\%d''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF94F80, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF94F80, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF950B5, \"value\":'''Advapi32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF950B5, \"value\":'''GetUserNameW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF953C5, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF953C5, \"value\":'''GetComputerNameW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9B8E2, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9B8E2, \"value\":'''MultiByteToWideChar''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF95E45, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF95E45, \"value\":'''EnumDisplayDevicesW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF96015, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF96015, \"value\":'''GlobalMemoryStatusEx''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF969E6, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF969E6, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF96E81, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF96E81, \"value\":'''GetCurrentProcess''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF96E92, \"value\":'''Advapi32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF96E92, \"value\":'''OpenProcessToken''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF96EB5, \"value\":'''Advapi32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF96EB5, \"value\":'''GetTokenInformation''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF96FBE, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF96FBE, \"value\":'''CloseHandle''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF965CF, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF965CF, \"value\":'''GetDesktopWindow''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF967CC, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF967CC, \"value\":'''GetWindowRect''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9B8E2, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9B8E2, \"value\":'''MultiByteToWideChar''' },\r\n{ \"a1\":0xF967D9, \"a2\":0x51187093, \"value\":'''\\%dx\\%d''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF967F3, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF967F3, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF956CF, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF956CF, \"value\":'''GetComputerNameExW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF95A19, \"value\":'''NetApi32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF95A19, \"value\":'''DsGetDcNameW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9B8E2, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9B8E2, \"value\":'''MultiByteToWideChar''' },\r\n{ \"a1\":0xF95B33, \"a2\":0x3858696A, \"value\":'''unknown''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9B8E2, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9B8E2, \"value\":'''MultiByteToWideChar''' },\r\nhttps://research.openanalysis.net/pikabot/debugging/string%20decryption/2023/11/12/new-pikabot.html\r\nPage 2 of 26\n\n{ \"a1\":0xFA8D5A, \"a2\":0x30487233, \"value\":'''{\"mdPNC6f8\": \"\\%s\", \"NUn3h77h\": \"\\%s\", \"W381C\": \"Win \\%\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9B8E2, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9B8E2, \"value\":'''MultiByteToWideChar''' },\r\n{ \"a1\":0xFA8D67, \"a2\":0x30487233, \"value\":'''GG9TU@T@f0adda360d2b4ccda11468e026526576''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFA8DEC, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFA8DEC, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF988E0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF988E0, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF988E0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF988E0, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF988E0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF988E0, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xFA8E91, \"a2\":0x684C4B6F, \"value\":'''\u0026tfDgx=''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9B8E2, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9B8E2, \"value\":'''MultiByteToWideChar''' },\r\n{ \"a1\":0xFA8E9B, \"a2\":0x684C4B6F, \"value\":'''whoami.exe /all''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2DAF, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2DAF, \"value\":'''CreatePipe''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2E6D, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2E6D, \"value\":'''CreateProcessW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB34B2, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB34B2, \"value\":'''WaitForSingleObject''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB3807, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB3807, \"value\":'''PeekNamedPipe''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB383E, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB383E, \"value\":'''ReadFile''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB3807, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB3807, \"value\":'''PeekNamedPipe''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB383E, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB383E, \"value\":'''ReadFile''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB3807, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB3807, \"value\":'''PeekNamedPipe''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB383E, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB383E, \"value\":'''ReadFile''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB3807, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB3807, \"value\":'''PeekNamedPipe''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB34B2, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB34B2, \"value\":'''WaitForSingleObject''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB3807, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB3807, \"value\":'''PeekNamedPipe''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB383E, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB383E, \"value\":'''ReadFile''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB3807, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB3807, \"value\":'''PeekNamedPipe''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB383E, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB383E, \"value\":'''ReadFile''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB3807, \"value\":'''Kernel32.dll''' },\r\nhttps://research.openanalysis.net/pikabot/debugging/string%20decryption/2023/11/12/new-pikabot.html\r\nPage 3 of 26\n\n{ \"a1\":0xF9ABD2, \"a2\":0xFB3807, \"value\":'''PeekNamedPipe''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB383E, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB383E, \"value\":'''ReadFile''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB3807, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB3807, \"value\":'''PeekNamedPipe''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB383E, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB383E, \"value\":'''ReadFile''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB3807, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB3807, \"value\":'''PeekNamedPipe''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB38E2, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB38E2, \"value\":'''CloseHandle''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB38F4, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB38F4, \"value\":'''CloseHandle''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB3906, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB3906, \"value\":'''CloseHandle''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB3918, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB3918, \"value\":'''CloseHandle''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF988E0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF988E0, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF988E0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF988E0, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF988E0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF988E0, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9C5B6, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9C5B6, \"value\":'''WaitForSingleObjectEx''' },\r\n{ \"a1\":0xFA8E91, \"a2\":0x68366265, \"value\":'''\u0026M1LWU=''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9B8E2, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9B8E2, \"value\":'''MultiByteToWideChar''' },\r\n{ \"a1\":0xFA8E9B, \"a2\":0x68366265, \"value\":'''ipconfig.exe /all''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2DAF, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2DAF, \"value\":'''CreatePipe''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2E6D, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2E6D, \"value\":'''CreateProcessW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB34B2, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB34B2, \"value\":'''WaitForSingleObject''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB3807, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB3807, \"value\":'''PeekNamedPipe''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB383E, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB383E, \"value\":'''ReadFile''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB3807, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB3807, \"value\":'''PeekNamedPipe''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB383E, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB383E, \"value\":'''ReadFile''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB3807, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB3807, \"value\":'''PeekNamedPipe''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB38E2, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB38E2, \"value\":'''CloseHandle''' },\r\nhttps://research.openanalysis.net/pikabot/debugging/string%20decryption/2023/11/12/new-pikabot.html\r\nPage 4 of 26\n\n{ \"a1\":0xF9AB9F, \"a2\":0xFB38F4, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB38F4, \"value\":'''CloseHandle''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB3906, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB3906, \"value\":'''CloseHandle''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB3918, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB3918, \"value\":'''CloseHandle''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF988E0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF988E0, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF988E0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF988E0, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF988E0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF988E0, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9C5B6, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9C5B6, \"value\":'''WaitForSingleObjectEx''' },\r\n{ \"a1\":0xFA8E91, \"a2\":0x63777074, \"value\":'''\u0026VC76f=''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9B8E2, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9B8E2, \"value\":'''MultiByteToWideChar''' },\r\n{ \"a1\":0xFA8E9B, \"a2\":0x63777074, \"value\":'''netstat.exe -aon''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2DAF, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2DAF, \"value\":'''CreatePipe''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2E6D, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2E6D, \"value\":'''CreateProcessW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB34B2, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB34B2, \"value\":'''WaitForSingleObject''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB3807, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB3807, \"value\":'''PeekNamedPipe''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB383E, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB383E, \"value\":'''ReadFile''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB3807, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB3807, \"value\":'''PeekNamedPipe''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB383E, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB383E, \"value\":'''ReadFile''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB3807, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB3807, \"value\":'''PeekNamedPipe''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB383E, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB383E, \"value\":'''ReadFile''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB3807, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB3807, \"value\":'''PeekNamedPipe''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB383E, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB383E, \"value\":'''ReadFile''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB3807, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB3807, \"value\":'''PeekNamedPipe''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB38E2, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB38E2, \"value\":'''CloseHandle''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB38F4, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB38F4, \"value\":'''CloseHandle''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB3906, \"value\":'''Kernel32.dll''' },\r\nhttps://research.openanalysis.net/pikabot/debugging/string%20decryption/2023/11/12/new-pikabot.html\r\nPage 5 of 26\n\n{ \"a1\":0xF9ABD2, \"a2\":0xFB3906, \"value\":'''CloseHandle''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB3918, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB3918, \"value\":'''CloseHandle''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF988E0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF988E0, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF988E0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF988E0, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF988E0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF988E0, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9C5B6, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9C5B6, \"value\":'''WaitForSingleObjectEx''' },\r\n{ \"a1\":0xFA8F71, \"a2\":0x4855364C, \"value\":'''\u0026SBSlO=''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB1FC8, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB1FC8, \"value\":'''CreateToolhelp32Snapshot''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2000, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2000, \"value\":'''Process32FirstW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9B8E2, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9B8E2, \"value\":'''MultiByteToWideChar''' },\r\n{ \"a1\":0xFB212E, \"a2\":0x590016, \"value\":'''[''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9B8E2, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9B8E2, \"value\":'''MultiByteToWideChar''' },\r\n{ \"a1\":0xFB213E, \"a2\":0x590016, \"value\":'''\"\\%s:\\%d:\\%d:\\%d:\\%d:\\%d:\\%d\"''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9B8E2, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9B8E2, \"value\":'''MultiByteToWideChar''' },\r\n{ \"a1\":0xFB214C, \"a2\":0x590016, \"value\":''', \"\\%s:\\%d:\\%d:\\%d:\\%d:\\%d:\\%d\"''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9B8E2, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9B8E2, \"value\":'''MultiByteToWideChar''' },\r\n{ \"a1\":0xFB215A, \"a2\":0x590016, \"value\":''']''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2172, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2172, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\nhttps://research.openanalysis.net/pikabot/debugging/string%20decryption/2023/11/12/new-pikabot.html\r\nPage 6 of 26\n\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\nhttps://research.openanalysis.net/pikabot/debugging/string%20decryption/2023/11/12/new-pikabot.html\r\nPage 7 of 26\n\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\nhttps://research.openanalysis.net/pikabot/debugging/string%20decryption/2023/11/12/new-pikabot.html\r\nPage 8 of 26\n\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\nhttps://research.openanalysis.net/pikabot/debugging/string%20decryption/2023/11/12/new-pikabot.html\r\nPage 9 of 26\n\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\nhttps://research.openanalysis.net/pikabot/debugging/string%20decryption/2023/11/12/new-pikabot.html\r\nPage 10 of 26\n\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\nhttps://research.openanalysis.net/pikabot/debugging/string%20decryption/2023/11/12/new-pikabot.html\r\nPage 11 of 26\n\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\nhttps://research.openanalysis.net/pikabot/debugging/string%20decryption/2023/11/12/new-pikabot.html\r\nPage 12 of 26\n\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\nhttps://research.openanalysis.net/pikabot/debugging/string%20decryption/2023/11/12/new-pikabot.html\r\nPage 13 of 26\n\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\nhttps://research.openanalysis.net/pikabot/debugging/string%20decryption/2023/11/12/new-pikabot.html\r\nPage 14 of 26\n\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB11C8, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB11C8, \"value\":'''IsWow64Process''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB11C8, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB11C8, \"value\":'''IsWow64Process''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\nhttps://research.openanalysis.net/pikabot/debugging/string%20decryption/2023/11/12/new-pikabot.html\r\nPage 15 of 26\n\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB11C8, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB11C8, \"value\":'''IsWow64Process''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB11C8, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB11C8, \"value\":'''IsWow64Process''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB11C8, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB11C8, \"value\":'''IsWow64Process''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\nhttps://research.openanalysis.net/pikabot/debugging/string%20decryption/2023/11/12/new-pikabot.html\r\nPage 16 of 26\n\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB11C8, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB11C8, \"value\":'''IsWow64Process''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB11C8, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB11C8, \"value\":'''IsWow64Process''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB11C8, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB11C8, \"value\":'''IsWow64Process''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB11C8, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB11C8, \"value\":'''IsWow64Process''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\nhttps://research.openanalysis.net/pikabot/debugging/string%20decryption/2023/11/12/new-pikabot.html\r\nPage 17 of 26\n\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB11C8, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB11C8, \"value\":'''IsWow64Process''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB11C8, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB11C8, \"value\":'''IsWow64Process''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB11C8, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB11C8, \"value\":'''IsWow64Process''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB11C8, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB11C8, \"value\":'''IsWow64Process''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\nhttps://research.openanalysis.net/pikabot/debugging/string%20decryption/2023/11/12/new-pikabot.html\r\nPage 18 of 26\n\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB11C8, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB11C8, \"value\":'''IsWow64Process''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB11C8, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB11C8, \"value\":'''IsWow64Process''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB11C8, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB11C8, \"value\":'''IsWow64Process''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\nhttps://research.openanalysis.net/pikabot/debugging/string%20decryption/2023/11/12/new-pikabot.html\r\nPage 19 of 26\n\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB11C8, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB11C8, \"value\":'''IsWow64Process''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB11C8, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB11C8, \"value\":'''IsWow64Process''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB11C8, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB11C8, \"value\":'''IsWow64Process''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\nhttps://research.openanalysis.net/pikabot/debugging/string%20decryption/2023/11/12/new-pikabot.html\r\nPage 20 of 26\n\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB11C8, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB11C8, \"value\":'''IsWow64Process''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB11C8, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB11C8, \"value\":'''IsWow64Process''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\nhttps://research.openanalysis.net/pikabot/debugging/string%20decryption/2023/11/12/new-pikabot.html\r\nPage 21 of 26\n\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\nhttps://research.openanalysis.net/pikabot/debugging/string%20decryption/2023/11/12/new-pikabot.html\r\nPage 22 of 26\n\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB11C8, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB11C8, \"value\":'''IsWow64Process''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB11C8, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB11C8, \"value\":'''IsWow64Process''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB11C8, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB11C8, \"value\":'''IsWow64Process''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9CC36, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9CC36, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB2417, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB2417, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24D0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24D0, \"value\":'''Process32NextW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB24FC, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB24FC, \"value\":'''wsprintfW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFB258E, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFB258E, \"value\":'''CloseHandle''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF988E0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF988E0, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF988E0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF988E0, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF988E0, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF988E0, \"value\":'''GetTickCount''' },\r\n{ \"a1\":0xFA929A, \"a2\":0x730069, \"value\":'''AV89JS''' },\r\n{ \"a1\":0xFA92AB, \"a2\":0x730069, \"value\":'''\u0026''' },\r\nhttps://research.openanalysis.net/pikabot/debugging/string%20decryption/2023/11/12/new-pikabot.html\r\nPage 23 of 26\n\n{ \"a1\":0xF9E523, \"a2\":0xF0A26600, \"value\":'''\\%s\u0026\\%s''' },\r\n{ \"a1\":0xF9E530, \"a2\":0xF0A26600, \"value\":'''UndoubtableEthnologically=antitwilightFluidextract\u0026bire\r\n{ \"a1\":0xF9E53D, \"a2\":0xF0A26600, \"value\":'''UdvGU=''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9E558, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9E558, \"value\":'''wsprintfA''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFA13EF, \"value\":'''Wininet.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFA13EF, \"value\":'''InternetOpenW''' },\r\n{ \"a1\":0xFA145C, \"a2\":0x41734430, \"value\":'''\u0026''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFA162D, \"value\":'''Wininet.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFA162D, \"value\":'''InternetConnectW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9B8E2, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9B8E2, \"value\":'''MultiByteToWideChar''' },\r\n{ \"a1\":0xFA18D1, \"a2\":0x41734430, \"value\":'''POST''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9B8E2, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9B8E2, \"value\":'''MultiByteToWideChar''' },\r\n{ \"a1\":0xFA18DB, \"a2\":0x41734430, \"value\":'''TrichinopolyUncontriving/uiDV6mKfgGakdg?unshelledSplitn\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFA18F9, \"value\":'''Wininet.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFA18F9, \"value\":'''HttpOpenRequestW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFA1C79, \"value\":'''Wininet.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFA1C79, \"value\":'''InternetQueryOptionW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFA1DCA, \"value\":'''Wininet.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFA1DCA, \"value\":'''InternetSetOptionW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9B8E2, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9B8E2, \"value\":'''MultiByteToWideChar''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFA1DEB, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFA1DEB, \"value\":'''lstrlenW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFA1E00, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFA1E00, \"value\":'''lstrlenA''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFA1E19, \"value\":'''Wininet.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFA1E19, \"value\":'''HttpSendRequestW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFA22D8, \"value\":'''Wininet.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFA22D8, \"value\":'''InternetCloseHandle''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFA22EB, \"value\":'''Wininet.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFA22EB, \"value\":'''InternetCloseHandle''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFA22FB, \"value\":'''Wininet.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFA22FB, \"value\":'''InternetCloseHandle''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9C5B6, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9C5B6, \"value\":'''WaitForSingleObjectEx''' },\r\n{ \"a1\":0xF9E523, \"a2\":0xF0A26600, \"value\":'''\\%s\u0026\\%s''' },\r\n{ \"a1\":0xF9E530, \"a2\":0xF0A26600, \"value\":'''UndoubtableEthnologically=antitwilightFluidextract\u0026bire\r\n{ \"a1\":0xF9E53D, \"a2\":0xF0A26600, \"value\":'''UdvGU=''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9E558, \"value\":'''User32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9E558, \"value\":'''wsprintfA''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFA13EF, \"value\":'''Wininet.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFA13EF, \"value\":'''InternetOpenW''' },\r\n{ \"a1\":0xFA145C, \"a2\":0x41734430, \"value\":'''\u0026''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFA162D, \"value\":'''Wininet.dll''' },\r\nhttps://research.openanalysis.net/pikabot/debugging/string%20decryption/2023/11/12/new-pikabot.html\r\nPage 24 of 26\n\n{ \"a1\":0xF9ABD2, \"a2\":0xFA162D, \"value\":'''InternetConnectW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9B8E2, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9B8E2, \"value\":'''MultiByteToWideChar''' },\r\n{ \"a1\":0xFA18D1, \"a2\":0x41734430, \"value\":'''POST''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9B8E2, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9B8E2, \"value\":'''MultiByteToWideChar''' },\r\n{ \"a1\":0xFA18DB, \"a2\":0x41734430, \"value\":'''TrichinopolyUncontriving/uiDV6mKfgGakdg?unshelledSplitn\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFA18F9, \"value\":'''Wininet.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFA18F9, \"value\":'''HttpOpenRequestW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFA1C79, \"value\":'''Wininet.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFA1C79, \"value\":'''InternetQueryOptionW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFA1DCA, \"value\":'''Wininet.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFA1DCA, \"value\":'''InternetSetOptionW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9B8E2, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9B8E2, \"value\":'''MultiByteToWideChar''' },\r\n{ \"a1\":0xFA1DD7, \"a2\":0x41734430, \"value\":'''Content-Type: application/x-www-form-urlencoded \\nAccep\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFA1DEB, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFA1DEB, \"value\":'''lstrlenW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFA1E00, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFA1E00, \"value\":'''lstrlenA''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFA1E19, \"value\":'''Wininet.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFA1E19, \"value\":'''HttpSendRequestW''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFA22D8, \"value\":'''Wininet.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFA22D8, \"value\":'''InternetCloseHandle''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFA22EB, \"value\":'''Wininet.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFA22EB, \"value\":'''InternetCloseHandle''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xFA22FB, \"value\":'''Wininet.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xFA22FB, \"value\":'''InternetCloseHandle''' },\r\n{ \"a1\":0xF9AB9F, \"a2\":0xF9C5B6, \"value\":'''Kernel32.dll''' },\r\n{ \"a1\":0xF9ABD2, \"a2\":0xF9C5B6, \"value\":'''WaitForSingleObjectEx''' }]\r\nblacklisted = [0xF9AB9F,0xF9ABD2]\r\ndef set_hexrays_comment(address, text):\r\n '''\r\n set comment in decompiled code\r\n '''\r\n cfunc = idaapi.decompile(address)\r\n tl = idaapi.treeloc_t()\r\n tl.ea = address\r\n tl.itp = idaapi.ITP_SEMI\r\n cfunc.set_user_cmt(tl, text)\r\n cfunc.save_user_cmts()\r\ndef set_comment(address, text):\r\nhttps://research.openanalysis.net/pikabot/debugging/string%20decryption/2023/11/12/new-pikabot.html\r\nPage 25 of 26\n\n## Set in dissassembly\r\n idc.set_cmt(address, text,0)\r\n ## Set in decompiled data\r\n set_hexrays_comment(address, text)\r\nfor s in strings:\r\n addr = s.get('a1')\r\n if addr in blacklisted:\r\n addr = s.get('a2')\r\n set_comment(addr, s.get('value'))\r\ndef get_hash(string):\r\n out = 0xb6\r\n string = string.lower()\r\n for c in string:\r\n out = (ord(c) + out * 5) \u0026 0xffffffff\r\n return out\r\nhex(get_hash('HeapFree'))\r\n'0x4d6cd9e'\r\nSource: https://research.openanalysis.net/pikabot/debugging/string%20decryption/2023/11/12/new-pikabot.html\r\nhttps://research.openanalysis.net/pikabot/debugging/string%20decryption/2023/11/12/new-pikabot.html\r\nPage 26 of 26",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://research.openanalysis.net/pikabot/debugging/string%20decryption/2023/11/12/new-pikabot.html"
	],
	"report_names": [
		"new-pikabot.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434067,
	"ts_updated_at": 1775791293,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a469959c939427300816d1a5d46d9640a870a6a6.pdf",
		"text": "https://archive.orkl.eu/a469959c939427300816d1a5d46d9640a870a6a6.txt",
		"img": "https://archive.orkl.eu/a469959c939427300816d1a5d46d9640a870a6a6.jpg"
	}
}