PikaBot Is Back With a Vengeance
Published: 2023-11-12 · Archived: 2026-04-05 22:34:00 UTC
import idaapi, idc, idautils
strings = [{ "a1":0xF9AB9F, "a2":0xFA6A29, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFA6A29, "value":'''GetUserDefaultLangID''' },
{ "a1":0xF9AB9F, "a2":0xF93662, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF93662, "value":'''CreateMutexW''' },
{ "a1":0xF9AB9F, "a2":0xF93672, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF93672, "value":'''GetLastError''' },
{ "a1":0xF9AB9F, "a2":0xF9C5B6, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9C5B6, "value":'''WaitForSingleObjectEx''' },
{ "a1":0xF9AB9F, "a2":0xF9B8E2, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9B8E2, "value":'''MultiByteToWideChar''' },
{ "a1":0xFA66F5, "a2":0x15D4E6AA, "value":'''C:\\''' },
{ "a1":0xF9AB9F, "a2":0xFA6710, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFA6710, "value":'''GetVolumeInformationW''' },
{ "a1":0xF9AB9F, "a2":0xF953C5, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF953C5, "value":'''GetComputerNameW''' },
{ "a1":0xF9AB9F, "a2":0xF950B5, "value":'''Advapi32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF950B5, "value":'''GetUserNameW''' },
{ "a1":0xF9AB9F, "a2":0xF94F62, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF94F62, "value":'''GetProductInfo''' },
{ "a1":0xF9AB9F, "a2":0xF9B8E2, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9B8E2, "value":'''MultiByteToWideChar''' },
{ "a1":0xF94F6C, "a2":0x0, "value":'''\%d''' },
{ "a1":0xF9AB9F, "a2":0xF94F80, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF94F80, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xF9B8E2, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9B8E2, "value":'''MultiByteToWideChar''' },
{ "a1":0xFA6787, "a2":0x15D4E6AA, "value":'''\%s\\\%s|\%s''' },
{ "a1":0xF9AB9F, "a2":0xFA67A0, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFA67A0, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xF9B8E2, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9B8E2, "value":'''MultiByteToWideChar''' },
{ "a1":0xFA685D, "a2":0x15D4E6AA, "value":'''\%07lX\%09lX\%lu''' },
{ "a1":0xF9AB9F, "a2":0xFA6878, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFA6878, "value":'''wsprintfW''' },
{ "a1":0xF9371D, "a2":0x3157537A, "value":'''\%s''' },
{ "a1":0xF9AB9F, "a2":0xF9373B, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9373B, "value":'''wsprintfA''' },
{ "a1":0xF93762, "a2":0x3157537A, "value":'''&''' },
https://research.openanalysis.net/pikabot/debugging/string%20decryption/2023/11/12/new-pikabot.html
Page 1 of 26

{ "a1":0xF9AB9F, "a2":0xF94B7E, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF94B7E, "value":'''IsWow64Process''' },
{ "a1":0xF9AB9F, "a2":0xF94F62, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF94F62, "value":'''GetProductInfo''' },
{ "a1":0xF9AB9F, "a2":0xF9B8E2, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9B8E2, "value":'''MultiByteToWideChar''' },
{ "a1":0xF94F6C, "a2":0x31366B33, "value":'''\%d''' },
{ "a1":0xF9AB9F, "a2":0xF94F80, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF94F80, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xF950B5, "value":'''Advapi32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF950B5, "value":'''GetUserNameW''' },
{ "a1":0xF9AB9F, "a2":0xF953C5, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF953C5, "value":'''GetComputerNameW''' },
{ "a1":0xF9AB9F, "a2":0xF9B8E2, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9B8E2, "value":'''MultiByteToWideChar''' },
{ "a1":0xF9AB9F, "a2":0xF95E45, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF95E45, "value":'''EnumDisplayDevicesW''' },
{ "a1":0xF9AB9F, "a2":0xF96015, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF96015, "value":'''GlobalMemoryStatusEx''' },
{ "a1":0xF9AB9F, "a2":0xF969E6, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF969E6, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xF96E81, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF96E81, "value":'''GetCurrentProcess''' },
{ "a1":0xF9AB9F, "a2":0xF96E92, "value":'''Advapi32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF96E92, "value":'''OpenProcessToken''' },
{ "a1":0xF9AB9F, "a2":0xF96EB5, "value":'''Advapi32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF96EB5, "value":'''GetTokenInformation''' },
{ "a1":0xF9AB9F, "a2":0xF96FBE, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF96FBE, "value":'''CloseHandle''' },
{ "a1":0xF9AB9F, "a2":0xF965CF, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF965CF, "value":'''GetDesktopWindow''' },
{ "a1":0xF9AB9F, "a2":0xF967CC, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF967CC, "value":'''GetWindowRect''' },
{ "a1":0xF9AB9F, "a2":0xF9B8E2, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9B8E2, "value":'''MultiByteToWideChar''' },
{ "a1":0xF967D9, "a2":0x51187093, "value":'''\%dx\%d''' },
{ "a1":0xF9AB9F, "a2":0xF967F3, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF967F3, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xF956CF, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF956CF, "value":'''GetComputerNameExW''' },
{ "a1":0xF9AB9F, "a2":0xF95A19, "value":'''NetApi32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF95A19, "value":'''DsGetDcNameW''' },
{ "a1":0xF9AB9F, "a2":0xF9B8E2, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9B8E2, "value":'''MultiByteToWideChar''' },
{ "a1":0xF95B33, "a2":0x3858696A, "value":'''unknown''' },
{ "a1":0xF9AB9F, "a2":0xF9B8E2, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9B8E2, "value":'''MultiByteToWideChar''' },
https://research.openanalysis.net/pikabot/debugging/string%20decryption/2023/11/12/new-pikabot.html
Page 2 of 26

{ "a1":0xFA8D5A, "a2":0x30487233, "value":'''{"mdPNC6f8": "\%s", "NUn3h77h": "\%s", "W381C": "Win \%
{ "a1":0xF9AB9F, "a2":0xF9B8E2, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9B8E2, "value":'''MultiByteToWideChar''' },
{ "a1":0xFA8D67, "a2":0x30487233, "value":'''GG9TU@T@f0adda360d2b4ccda11468e026526576''' },
{ "a1":0xF9AB9F, "a2":0xFA8DEC, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFA8DEC, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xF988E0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF988E0, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xF988E0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF988E0, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xF988E0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF988E0, "value":'''GetTickCount''' },
{ "a1":0xFA8E91, "a2":0x684C4B6F, "value":'''&tfDgx=''' },
{ "a1":0xF9AB9F, "a2":0xF9B8E2, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9B8E2, "value":'''MultiByteToWideChar''' },
{ "a1":0xFA8E9B, "a2":0x684C4B6F, "value":'''whoami.exe /all''' },
{ "a1":0xF9AB9F, "a2":0xFB2DAF, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2DAF, "value":'''CreatePipe''' },
{ "a1":0xF9AB9F, "a2":0xFB2E6D, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2E6D, "value":'''CreateProcessW''' },
{ "a1":0xF9AB9F, "a2":0xFB34B2, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB34B2, "value":'''WaitForSingleObject''' },
{ "a1":0xF9AB9F, "a2":0xFB3807, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB3807, "value":'''PeekNamedPipe''' },
{ "a1":0xF9AB9F, "a2":0xFB383E, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB383E, "value":'''ReadFile''' },
{ "a1":0xF9AB9F, "a2":0xFB3807, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB3807, "value":'''PeekNamedPipe''' },
{ "a1":0xF9AB9F, "a2":0xFB383E, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB383E, "value":'''ReadFile''' },
{ "a1":0xF9AB9F, "a2":0xFB3807, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB3807, "value":'''PeekNamedPipe''' },
{ "a1":0xF9AB9F, "a2":0xFB383E, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB383E, "value":'''ReadFile''' },
{ "a1":0xF9AB9F, "a2":0xFB3807, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB3807, "value":'''PeekNamedPipe''' },
{ "a1":0xF9AB9F, "a2":0xFB34B2, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB34B2, "value":'''WaitForSingleObject''' },
{ "a1":0xF9AB9F, "a2":0xFB3807, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB3807, "value":'''PeekNamedPipe''' },
{ "a1":0xF9AB9F, "a2":0xFB383E, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB383E, "value":'''ReadFile''' },
{ "a1":0xF9AB9F, "a2":0xFB3807, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB3807, "value":'''PeekNamedPipe''' },
{ "a1":0xF9AB9F, "a2":0xFB383E, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB383E, "value":'''ReadFile''' },
{ "a1":0xF9AB9F, "a2":0xFB3807, "value":'''Kernel32.dll''' },
https://research.openanalysis.net/pikabot/debugging/string%20decryption/2023/11/12/new-pikabot.html
Page 3 of 26

{ "a1":0xF9ABD2, "a2":0xFB3807, "value":'''PeekNamedPipe''' },
{ "a1":0xF9AB9F, "a2":0xFB383E, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB383E, "value":'''ReadFile''' },
{ "a1":0xF9AB9F, "a2":0xFB3807, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB3807, "value":'''PeekNamedPipe''' },
{ "a1":0xF9AB9F, "a2":0xFB383E, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB383E, "value":'''ReadFile''' },
{ "a1":0xF9AB9F, "a2":0xFB3807, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB3807, "value":'''PeekNamedPipe''' },
{ "a1":0xF9AB9F, "a2":0xFB38E2, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB38E2, "value":'''CloseHandle''' },
{ "a1":0xF9AB9F, "a2":0xFB38F4, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB38F4, "value":'''CloseHandle''' },
{ "a1":0xF9AB9F, "a2":0xFB3906, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB3906, "value":'''CloseHandle''' },
{ "a1":0xF9AB9F, "a2":0xFB3918, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB3918, "value":'''CloseHandle''' },
{ "a1":0xF9AB9F, "a2":0xF988E0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF988E0, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xF988E0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF988E0, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xF988E0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF988E0, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xF9C5B6, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9C5B6, "value":'''WaitForSingleObjectEx''' },
{ "a1":0xFA8E91, "a2":0x68366265, "value":'''&M1LWU=''' },
{ "a1":0xF9AB9F, "a2":0xF9B8E2, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9B8E2, "value":'''MultiByteToWideChar''' },
{ "a1":0xFA8E9B, "a2":0x68366265, "value":'''ipconfig.exe /all''' },
{ "a1":0xF9AB9F, "a2":0xFB2DAF, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2DAF, "value":'''CreatePipe''' },
{ "a1":0xF9AB9F, "a2":0xFB2E6D, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2E6D, "value":'''CreateProcessW''' },
{ "a1":0xF9AB9F, "a2":0xFB34B2, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB34B2, "value":'''WaitForSingleObject''' },
{ "a1":0xF9AB9F, "a2":0xFB3807, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB3807, "value":'''PeekNamedPipe''' },
{ "a1":0xF9AB9F, "a2":0xFB383E, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB383E, "value":'''ReadFile''' },
{ "a1":0xF9AB9F, "a2":0xFB3807, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB3807, "value":'''PeekNamedPipe''' },
{ "a1":0xF9AB9F, "a2":0xFB383E, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB383E, "value":'''ReadFile''' },
{ "a1":0xF9AB9F, "a2":0xFB3807, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB3807, "value":'''PeekNamedPipe''' },
{ "a1":0xF9AB9F, "a2":0xFB38E2, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB38E2, "value":'''CloseHandle''' },
https://research.openanalysis.net/pikabot/debugging/string%20decryption/2023/11/12/new-pikabot.html
Page 4 of 26

{ "a1":0xF9AB9F, "a2":0xFB38F4, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB38F4, "value":'''CloseHandle''' },
{ "a1":0xF9AB9F, "a2":0xFB3906, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB3906, "value":'''CloseHandle''' },
{ "a1":0xF9AB9F, "a2":0xFB3918, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB3918, "value":'''CloseHandle''' },
{ "a1":0xF9AB9F, "a2":0xF988E0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF988E0, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xF988E0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF988E0, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xF988E0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF988E0, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xF9C5B6, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9C5B6, "value":'''WaitForSingleObjectEx''' },
{ "a1":0xFA8E91, "a2":0x63777074, "value":'''&VC76f=''' },
{ "a1":0xF9AB9F, "a2":0xF9B8E2, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9B8E2, "value":'''MultiByteToWideChar''' },
{ "a1":0xFA8E9B, "a2":0x63777074, "value":'''netstat.exe -aon''' },
{ "a1":0xF9AB9F, "a2":0xFB2DAF, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2DAF, "value":'''CreatePipe''' },
{ "a1":0xF9AB9F, "a2":0xFB2E6D, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2E6D, "value":'''CreateProcessW''' },
{ "a1":0xF9AB9F, "a2":0xFB34B2, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB34B2, "value":'''WaitForSingleObject''' },
{ "a1":0xF9AB9F, "a2":0xFB3807, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB3807, "value":'''PeekNamedPipe''' },
{ "a1":0xF9AB9F, "a2":0xFB383E, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB383E, "value":'''ReadFile''' },
{ "a1":0xF9AB9F, "a2":0xFB3807, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB3807, "value":'''PeekNamedPipe''' },
{ "a1":0xF9AB9F, "a2":0xFB383E, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB383E, "value":'''ReadFile''' },
{ "a1":0xF9AB9F, "a2":0xFB3807, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB3807, "value":'''PeekNamedPipe''' },
{ "a1":0xF9AB9F, "a2":0xFB383E, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB383E, "value":'''ReadFile''' },
{ "a1":0xF9AB9F, "a2":0xFB3807, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB3807, "value":'''PeekNamedPipe''' },
{ "a1":0xF9AB9F, "a2":0xFB383E, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB383E, "value":'''ReadFile''' },
{ "a1":0xF9AB9F, "a2":0xFB3807, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB3807, "value":'''PeekNamedPipe''' },
{ "a1":0xF9AB9F, "a2":0xFB38E2, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB38E2, "value":'''CloseHandle''' },
{ "a1":0xF9AB9F, "a2":0xFB38F4, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB38F4, "value":'''CloseHandle''' },
{ "a1":0xF9AB9F, "a2":0xFB3906, "value":'''Kernel32.dll''' },
https://research.openanalysis.net/pikabot/debugging/string%20decryption/2023/11/12/new-pikabot.html
Page 5 of 26

{ "a1":0xF9ABD2, "a2":0xFB3906, "value":'''CloseHandle''' },
{ "a1":0xF9AB9F, "a2":0xFB3918, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB3918, "value":'''CloseHandle''' },
{ "a1":0xF9AB9F, "a2":0xF988E0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF988E0, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xF988E0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF988E0, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xF988E0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF988E0, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xF9C5B6, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9C5B6, "value":'''WaitForSingleObjectEx''' },
{ "a1":0xFA8F71, "a2":0x4855364C, "value":'''&SBSlO=''' },
{ "a1":0xF9AB9F, "a2":0xFB1FC8, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB1FC8, "value":'''CreateToolhelp32Snapshot''' },
{ "a1":0xF9AB9F, "a2":0xFB2000, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2000, "value":'''Process32FirstW''' },
{ "a1":0xF9AB9F, "a2":0xF9B8E2, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9B8E2, "value":'''MultiByteToWideChar''' },
{ "a1":0xFB212E, "a2":0x590016, "value":'''[''' },
{ "a1":0xF9AB9F, "a2":0xF9B8E2, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9B8E2, "value":'''MultiByteToWideChar''' },
{ "a1":0xFB213E, "a2":0x590016, "value":'''"\%s:\%d:\%d:\%d:\%d:\%d:\%d"''' },
{ "a1":0xF9AB9F, "a2":0xF9B8E2, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9B8E2, "value":'''MultiByteToWideChar''' },
{ "a1":0xFB214C, "a2":0x590016, "value":''', "\%s:\%d:\%d:\%d:\%d:\%d:\%d"''' },
{ "a1":0xF9AB9F, "a2":0xF9B8E2, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9B8E2, "value":'''MultiByteToWideChar''' },
{ "a1":0xFB215A, "a2":0x590016, "value":''']''' },
{ "a1":0xF9AB9F, "a2":0xFB2172, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2172, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
https://research.openanalysis.net/pikabot/debugging/string%20decryption/2023/11/12/new-pikabot.html
Page 6 of 26

{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
https://research.openanalysis.net/pikabot/debugging/string%20decryption/2023/11/12/new-pikabot.html
Page 7 of 26

{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
https://research.openanalysis.net/pikabot/debugging/string%20decryption/2023/11/12/new-pikabot.html
Page 8 of 26

{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
https://research.openanalysis.net/pikabot/debugging/string%20decryption/2023/11/12/new-pikabot.html
Page 9 of 26

{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
https://research.openanalysis.net/pikabot/debugging/string%20decryption/2023/11/12/new-pikabot.html
Page 10 of 26

{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
https://research.openanalysis.net/pikabot/debugging/string%20decryption/2023/11/12/new-pikabot.html
Page 11 of 26

{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
https://research.openanalysis.net/pikabot/debugging/string%20decryption/2023/11/12/new-pikabot.html
Page 12 of 26

{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
https://research.openanalysis.net/pikabot/debugging/string%20decryption/2023/11/12/new-pikabot.html
Page 13 of 26

{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
https://research.openanalysis.net/pikabot/debugging/string%20decryption/2023/11/12/new-pikabot.html
Page 14 of 26

{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB11C8, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB11C8, "value":'''IsWow64Process''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB11C8, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB11C8, "value":'''IsWow64Process''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
https://research.openanalysis.net/pikabot/debugging/string%20decryption/2023/11/12/new-pikabot.html
Page 15 of 26

{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB11C8, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB11C8, "value":'''IsWow64Process''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB11C8, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB11C8, "value":'''IsWow64Process''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB11C8, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB11C8, "value":'''IsWow64Process''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
https://research.openanalysis.net/pikabot/debugging/string%20decryption/2023/11/12/new-pikabot.html
Page 16 of 26

{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB11C8, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB11C8, "value":'''IsWow64Process''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB11C8, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB11C8, "value":'''IsWow64Process''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB11C8, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB11C8, "value":'''IsWow64Process''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB11C8, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB11C8, "value":'''IsWow64Process''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
https://research.openanalysis.net/pikabot/debugging/string%20decryption/2023/11/12/new-pikabot.html
Page 17 of 26

{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB11C8, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB11C8, "value":'''IsWow64Process''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB11C8, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB11C8, "value":'''IsWow64Process''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB11C8, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB11C8, "value":'''IsWow64Process''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB11C8, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB11C8, "value":'''IsWow64Process''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
https://research.openanalysis.net/pikabot/debugging/string%20decryption/2023/11/12/new-pikabot.html
Page 18 of 26

{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB11C8, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB11C8, "value":'''IsWow64Process''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB11C8, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB11C8, "value":'''IsWow64Process''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB11C8, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB11C8, "value":'''IsWow64Process''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
https://research.openanalysis.net/pikabot/debugging/string%20decryption/2023/11/12/new-pikabot.html
Page 19 of 26

{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB11C8, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB11C8, "value":'''IsWow64Process''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB11C8, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB11C8, "value":'''IsWow64Process''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB11C8, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB11C8, "value":'''IsWow64Process''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
https://research.openanalysis.net/pikabot/debugging/string%20decryption/2023/11/12/new-pikabot.html
Page 20 of 26

{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB11C8, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB11C8, "value":'''IsWow64Process''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB11C8, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB11C8, "value":'''IsWow64Process''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
https://research.openanalysis.net/pikabot/debugging/string%20decryption/2023/11/12/new-pikabot.html
Page 21 of 26

{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
https://research.openanalysis.net/pikabot/debugging/string%20decryption/2023/11/12/new-pikabot.html
Page 22 of 26

{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB11C8, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB11C8, "value":'''IsWow64Process''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB11C8, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB11C8, "value":'''IsWow64Process''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB11C8, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB11C8, "value":'''IsWow64Process''' },
{ "a1":0xF9AB9F, "a2":0xF9CC36, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9CC36, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xFB2417, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB2417, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB24D0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24D0, "value":'''Process32NextW''' },
{ "a1":0xF9AB9F, "a2":0xFB24FC, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB24FC, "value":'''wsprintfW''' },
{ "a1":0xF9AB9F, "a2":0xFB258E, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFB258E, "value":'''CloseHandle''' },
{ "a1":0xF9AB9F, "a2":0xF988E0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF988E0, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xF988E0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF988E0, "value":'''GetTickCount''' },
{ "a1":0xF9AB9F, "a2":0xF988E0, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF988E0, "value":'''GetTickCount''' },
{ "a1":0xFA929A, "a2":0x730069, "value":'''AV89JS''' },
{ "a1":0xFA92AB, "a2":0x730069, "value":'''&''' },
https://research.openanalysis.net/pikabot/debugging/string%20decryption/2023/11/12/new-pikabot.html
Page 23 of 26

{ "a1":0xF9E523, "a2":0xF0A26600, "value":'''\%s&\%s''' },
{ "a1":0xF9E530, "a2":0xF0A26600, "value":'''UndoubtableEthnologically=antitwilightFluidextract&bire
{ "a1":0xF9E53D, "a2":0xF0A26600, "value":'''UdvGU=''' },
{ "a1":0xF9AB9F, "a2":0xF9E558, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9E558, "value":'''wsprintfA''' },
{ "a1":0xF9AB9F, "a2":0xFA13EF, "value":'''Wininet.dll''' },
{ "a1":0xF9ABD2, "a2":0xFA13EF, "value":'''InternetOpenW''' },
{ "a1":0xFA145C, "a2":0x41734430, "value":'''&''' },
{ "a1":0xF9AB9F, "a2":0xFA162D, "value":'''Wininet.dll''' },
{ "a1":0xF9ABD2, "a2":0xFA162D, "value":'''InternetConnectW''' },
{ "a1":0xF9AB9F, "a2":0xF9B8E2, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9B8E2, "value":'''MultiByteToWideChar''' },
{ "a1":0xFA18D1, "a2":0x41734430, "value":'''POST''' },
{ "a1":0xF9AB9F, "a2":0xF9B8E2, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9B8E2, "value":'''MultiByteToWideChar''' },
{ "a1":0xFA18DB, "a2":0x41734430, "value":'''TrichinopolyUncontriving/uiDV6mKfgGakdg?unshelledSplitn
{ "a1":0xF9AB9F, "a2":0xFA18F9, "value":'''Wininet.dll''' },
{ "a1":0xF9ABD2, "a2":0xFA18F9, "value":'''HttpOpenRequestW''' },
{ "a1":0xF9AB9F, "a2":0xFA1C79, "value":'''Wininet.dll''' },
{ "a1":0xF9ABD2, "a2":0xFA1C79, "value":'''InternetQueryOptionW''' },
{ "a1":0xF9AB9F, "a2":0xFA1DCA, "value":'''Wininet.dll''' },
{ "a1":0xF9ABD2, "a2":0xFA1DCA, "value":'''InternetSetOptionW''' },
{ "a1":0xF9AB9F, "a2":0xF9B8E2, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9B8E2, "value":'''MultiByteToWideChar''' },
{ "a1":0xF9AB9F, "a2":0xFA1DEB, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFA1DEB, "value":'''lstrlenW''' },
{ "a1":0xF9AB9F, "a2":0xFA1E00, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFA1E00, "value":'''lstrlenA''' },
{ "a1":0xF9AB9F, "a2":0xFA1E19, "value":'''Wininet.dll''' },
{ "a1":0xF9ABD2, "a2":0xFA1E19, "value":'''HttpSendRequestW''' },
{ "a1":0xF9AB9F, "a2":0xFA22D8, "value":'''Wininet.dll''' },
{ "a1":0xF9ABD2, "a2":0xFA22D8, "value":'''InternetCloseHandle''' },
{ "a1":0xF9AB9F, "a2":0xFA22EB, "value":'''Wininet.dll''' },
{ "a1":0xF9ABD2, "a2":0xFA22EB, "value":'''InternetCloseHandle''' },
{ "a1":0xF9AB9F, "a2":0xFA22FB, "value":'''Wininet.dll''' },
{ "a1":0xF9ABD2, "a2":0xFA22FB, "value":'''InternetCloseHandle''' },
{ "a1":0xF9AB9F, "a2":0xF9C5B6, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9C5B6, "value":'''WaitForSingleObjectEx''' },
{ "a1":0xF9E523, "a2":0xF0A26600, "value":'''\%s&\%s''' },
{ "a1":0xF9E530, "a2":0xF0A26600, "value":'''UndoubtableEthnologically=antitwilightFluidextract&bire
{ "a1":0xF9E53D, "a2":0xF0A26600, "value":'''UdvGU=''' },
{ "a1":0xF9AB9F, "a2":0xF9E558, "value":'''User32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9E558, "value":'''wsprintfA''' },
{ "a1":0xF9AB9F, "a2":0xFA13EF, "value":'''Wininet.dll''' },
{ "a1":0xF9ABD2, "a2":0xFA13EF, "value":'''InternetOpenW''' },
{ "a1":0xFA145C, "a2":0x41734430, "value":'''&''' },
{ "a1":0xF9AB9F, "a2":0xFA162D, "value":'''Wininet.dll''' },
https://research.openanalysis.net/pikabot/debugging/string%20decryption/2023/11/12/new-pikabot.html
Page 24 of 26

{ "a1":0xF9ABD2, "a2":0xFA162D, "value":'''InternetConnectW''' },
{ "a1":0xF9AB9F, "a2":0xF9B8E2, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9B8E2, "value":'''MultiByteToWideChar''' },
{ "a1":0xFA18D1, "a2":0x41734430, "value":'''POST''' },
{ "a1":0xF9AB9F, "a2":0xF9B8E2, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9B8E2, "value":'''MultiByteToWideChar''' },
{ "a1":0xFA18DB, "a2":0x41734430, "value":'''TrichinopolyUncontriving/uiDV6mKfgGakdg?unshelledSplitn
{ "a1":0xF9AB9F, "a2":0xFA18F9, "value":'''Wininet.dll''' },
{ "a1":0xF9ABD2, "a2":0xFA18F9, "value":'''HttpOpenRequestW''' },
{ "a1":0xF9AB9F, "a2":0xFA1C79, "value":'''Wininet.dll''' },
{ "a1":0xF9ABD2, "a2":0xFA1C79, "value":'''InternetQueryOptionW''' },
{ "a1":0xF9AB9F, "a2":0xFA1DCA, "value":'''Wininet.dll''' },
{ "a1":0xF9ABD2, "a2":0xFA1DCA, "value":'''InternetSetOptionW''' },
{ "a1":0xF9AB9F, "a2":0xF9B8E2, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9B8E2, "value":'''MultiByteToWideChar''' },
{ "a1":0xFA1DD7, "a2":0x41734430, "value":'''Content-Type: application/x-www-form-urlencoded \nAccep
{ "a1":0xF9AB9F, "a2":0xFA1DEB, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFA1DEB, "value":'''lstrlenW''' },
{ "a1":0xF9AB9F, "a2":0xFA1E00, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xFA1E00, "value":'''lstrlenA''' },
{ "a1":0xF9AB9F, "a2":0xFA1E19, "value":'''Wininet.dll''' },
{ "a1":0xF9ABD2, "a2":0xFA1E19, "value":'''HttpSendRequestW''' },
{ "a1":0xF9AB9F, "a2":0xFA22D8, "value":'''Wininet.dll''' },
{ "a1":0xF9ABD2, "a2":0xFA22D8, "value":'''InternetCloseHandle''' },
{ "a1":0xF9AB9F, "a2":0xFA22EB, "value":'''Wininet.dll''' },
{ "a1":0xF9ABD2, "a2":0xFA22EB, "value":'''InternetCloseHandle''' },
{ "a1":0xF9AB9F, "a2":0xFA22FB, "value":'''Wininet.dll''' },
{ "a1":0xF9ABD2, "a2":0xFA22FB, "value":'''InternetCloseHandle''' },
{ "a1":0xF9AB9F, "a2":0xF9C5B6, "value":'''Kernel32.dll''' },
{ "a1":0xF9ABD2, "a2":0xF9C5B6, "value":'''WaitForSingleObjectEx''' }]
blacklisted = [0xF9AB9F,0xF9ABD2]
def set_hexrays_comment(address, text):
 '''
 set comment in decompiled code
 '''
 cfunc = idaapi.decompile(address)
 tl = idaapi.treeloc_t()
 tl.ea = address
 tl.itp = idaapi.ITP_SEMI
 cfunc.set_user_cmt(tl, text)
 cfunc.save_user_cmts()
def set_comment(address, text):
https://research.openanalysis.net/pikabot/debugging/string%20decryption/2023/11/12/new-pikabot.html
Page 25 of 26

## Set in dissassembly
 idc.set_cmt(address, text,0)
 ## Set in decompiled data
 set_hexrays_comment(address, text)
for s in strings:
 addr = s.get('a1')
 if addr in blacklisted:
 addr = s.get('a2')
 set_comment(addr, s.get('value'))
def get_hash(string):
 out = 0xb6
 string = string.lower()
 for c in string:
 out = (ord(c) + out * 5) & 0xffffffff
 return out
hex(get_hash('HeapFree'))
'0x4d6cd9e'
Source: https://research.openanalysis.net/pikabot/debugging/string%20decryption/2023/11/12/new-pikabot.html
https://research.openanalysis.net/pikabot/debugging/string%20decryption/2023/11/12/new-pikabot.html
Page 26 of 26