{
	"id": "35e1e650-f661-4bee-b5e5-22f06bc68a1e",
	"created_at": "2026-04-06T01:30:49.627359Z",
	"updated_at": "2026-04-10T13:12:38.552635Z",
	"deleted_at": null,
	"sha1_hash": "ba82d1f820b2e81f3e994832ead21774acd85f74",
	"title": "PikaBot Is Back With a Vengeance - Part 2",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 46817,
	"plain_text": "PikaBot Is Back With a Vengeance - Part 2\r\nPublished: 2023-11-19 · Archived: 2026-04-06 00:57:34 UTC\r\nKey string: b'l9SpFBoXEyglbY0ginoTUBd=pP=y6rVcQG8tP/zV4iqr06yZKEb+VCg1yQJ5jUNE'\r\nKey: 6c39537046426f584579676c62593067696e6f545542643d70503d7936725663\r\nIV string: b'FdbAwsDj0FJcgkLPb1J/mqGU7T6e98p9CMnoB'\r\nIV: 466462417773446a30464a63676b4c50\r\nDecrypted: b'{\"mdPNC6f8\": \"%s\", \"NUn3h77h\": \"%s\", \"W381C\": \"Win %d.%d %d\", \"SJ3sWSeKQ\": %s, \"YlSwktC\r\nDecrypted: b'CreateMutexW'\r\nDecrypted: b'GetLastError'\r\nDecrypted: b'%s'\r\nDecrypted: b'wsprintfA'\r\nDecrypted: b'\u0026'\r\nDecrypted: b'\u0026tfDgx='\r\nDecrypted: b'whoami.exe /all'\r\nDecrypted: b'\u0026M1LWU='\r\nDecrypted: b'ipconfig.exe /all'\r\nDecrypted: b'\u0026VC76f='\r\nDecrypted: b'netstat.exe -aon'\r\nDecrypted: b'\u0026SBSlO='\r\nDecrypted: b'{\"mdPNC6f8\": \"%s\"}'\r\nDecrypted: b'wsprintfA'\r\nDecrypted: b'{\"mdPNC6f8\": \"%s\"}'\r\nDecrypted: b'wsprintfA'\r\nDecrypted: b'HydrohemothoraxCoenaesthesis/2bQbdHQI1z9PoD?SnarlishAllobars=59eYpYysBS\u0026UndoubtableEthno\r\nDecrypted: b'\u0026'\r\nDecrypted: b'BaylZ'\r\nDecrypted: b'AV89JS'\r\nDecrypted: b'IsWow64Process'\r\nDecrypted: b'GetProductInfo'\r\nDecrypted: b'%d'\r\nDecrypted: b'wsprintfW'\r\nDecrypted: b'unknown'\r\nDecrypted: b'GetComputerNameW'\r\nDecrypted: b'unknown'\r\nDecrypted: b'GetComputerNameExW'\r\nDecrypted: b'unknown'\r\nDecrypted: b'DsGetDcNameW'\r\nDecrypted: b'unknown'\r\nDecrypted: b'EnumDisplayDevicesW'\r\nDecrypted: b'GlobalMemoryStatusEx'\r\nDecrypted: b'GetDesktopWindow'\r\nDecrypted: b'GetWindowRect'\r\nhttps://research.openanalysis.net/pikabot/debugging/string%20decryption/emulation/memulator/2023/11/19/new-pikabot-strings.html\r\nPage 1 of 6\n\nDecrypted: b'%dx%d'\r\nDecrypted: b'wsprintfW'\r\nDecrypted: b'unknown'\r\nDecrypted: b'GetTickCount'\r\nDecrypted: b'OpenProcessToken'\r\nDecrypted: b'GetCurrentProcess'\r\nDecrypted: b'GetTokenInformation'\r\nDecrypted: b'Kernel32.dll'\r\nDecrypted: b'User32.dll'\r\nDecrypted: b'Wininet.dll'\r\nDecrypted: b'Advapi32.dll'\r\nDecrypted: b'NetApi32.dll'\r\nDecrypted: b'MultiByteToWideChar'\r\nDecrypted: b'WaitForSingleObjectEx'\r\nDecrypted: b'GetTickCount'\r\nDecrypted: b'%s\u0026%s'\r\nDecrypted: b'UndoubtableEthnologically=antitwilightFluidextract\u0026birefractingUndeceitfulness=huehuetl\u0026\r\nDecrypted: b'UdvGU='\r\nDecrypted: b'wsprintfA'\r\nDecrypted: b'POST'\r\nDecrypted: b'%s\u0026%s'\r\nDecrypted: b'UndoubtableEthnologically=antitwilightFluidextract\u0026birefractingUndeceitfulness=huehuetl\u0026\r\nDecrypted: b'UdvGU='\r\nDecrypted: b'wsprintfA'\r\nDecrypted: b'POST'\r\nDecrypted: b'{\"mdPNC6f8\": \"%s\", \"MsDkQb2T\": %s, \"jVeNAqf\": %d, \"5ScPjT\": \"'\r\nDecrypted: b'\"}'\r\nDecrypted: b'wsprintfA'\r\nDecrypted: b'fabledOverstridence/h31BYUqJ28W62tz?nonresister=jYnT8Hj13x\u0026Sixtine=TXEWWGZ\u0026DogvaneHeredi\r\nDecrypted: b'InternetOpenW'\r\nDecrypted: b'\u0026'\r\nDecrypted: b'HttpOpenRequestW'\r\nDecrypted: b'InternetQueryOptionW'\r\nDecrypted: b'Content-Type: application/x-www-form-urlencoded\\r\\nAccept: */*\\r\\nAccept-Language: en-US\r\nDecrypted: b'lstrlenW'\r\nDecrypted: b'lstrlenA'\r\nDecrypted: b'HttpSendRequestW'\r\nDecrypted: b'InternetReadFile'\r\nDecrypted: b'InternetCloseHandle'\r\nDecrypted: b'InternetCloseHandle'\r\nDecrypted: b'InternetCloseHandle'\r\nDecrypted: b'InternetCloseHandle'\r\nDecrypted: b'InternetCloseHandle'\r\nDecrypted: b'InternetSetOptionW'\r\nDecrypted: b'InternetOpenW'\r\nDecrypted: b'\u0026'\r\nDecrypted: b'InternetConnectW'\r\nhttps://research.openanalysis.net/pikabot/debugging/string%20decryption/emulation/memulator/2023/11/19/new-pikabot-strings.html\r\nPage 2 of 6\n\nDecrypted: b'HttpOpenRequestW'\r\nDecrypted: b'InternetQueryOptionW'\r\nDecrypted: b'Content-Type: application/x-www-form-urlencoded\\r\\nAccept: */*\\r\\nAccept-Language: en-US\r\nDecrypted: b'lstrlenA'\r\nDecrypted: b'HttpSendRequestW'\r\nDecrypted: b'InternetReadFile'\r\nDecrypted: b'InternetCloseHandle'\r\nDecrypted: b'InternetCloseHandle'\r\nDecrypted: b'InternetCloseHandle'\r\nDecrypted: b'InternetCloseHandle'\r\nDecrypted: b'InternetCloseHandle'\r\nDecrypted: b'InternetSetOptionW'\r\nDecrypted: b'InternetCloseHandle'\r\nDecrypted: b'InternetCloseHandle'\r\nDecrypted: b'InternetCloseHandle'\r\nDecrypted: b'InternetReadFile'\r\nDecrypted: b'RegCreateKeyExW'\r\nDecrypted: b'RegSetValueExW'\r\nDecrypted: b'RegCloseKey'\r\nDecrypted: b'RegOpenKeyExW'\r\nDecrypted: b'RegQueryValueExW'\r\nDecrypted: b'RegCloseKey'\r\nDecrypted: b'RegCloseKey'\r\nDecrypted: b'C:\\\\'\r\nDecrypted: b'GetVolumeInformationW'\r\nDecrypted: b'%s\\\\%s|%s'\r\nDecrypted: b'wsprintfW'\r\nDecrypted: b'%07lX%09lX%lu'\r\nDecrypted: b'wsprintfW'\r\nDecrypted: b'GetUserDefaultLangID'\r\nDecrypted: b'%appdata%\\\\Microsoft\\\\'\r\nDecrypted: b'lotterSig'\r\nDecrypted: b'\\\\'\r\nDecrypted: b'ExpandEnvironmentStringsW'\r\nDecrypted: b'GetFileAttributesW'\r\nDecrypted: b'Synanthic'\r\nDecrypted: b'.dll'\r\nDecrypted: b'.exe'\r\nDecrypted: b'CreateFileW'\r\nDecrypted: b'WriteFile'\r\nDecrypted: b'CloseHandle'\r\nDecrypted: b'CreateDirectoryW'\r\nDecrypted: b'\u0026'\r\nDecrypted: b'SOFTWARE\\\\Microsoft\\\\%s'\r\nDecrypted: b'lotterSig'\r\nDecrypted: b'Subadmini'\r\nDecrypted: b'wsprintfW'\r\nhttps://research.openanalysis.net/pikabot/debugging/string%20decryption/emulation/memulator/2023/11/19/new-pikabot-strings.html\r\nPage 3 of 6\n\nDecrypted: b'{\"mdPNC6f8\": \"%s\", \"NUn3h77h\": \"%s\", \"W381C\": \"Win %d.%d %d\", \"SJ3sWSeKQ\": %s, \"YlSwktC\r\nDecrypted: b'GG9TU@T@f0adda360d2b4ccda11468e026526576'\r\nDecrypted: b'wsprintfW'\r\nDecrypted: b'AV89JS'\r\nDecrypted: b'TrichinopolyUncontriving/uiDV6mKfgGakdg?unshelledSplitnut=vEzlHkL'\r\nDecrypted: b'\u0026'\r\nDecrypted: b'SOFTWARE\\\\Microsoft\\\\%s'\r\nDecrypted: b'lotterSig'\r\nDecrypted: b'Subadmini'\r\nDecrypted: b'wsprintfW'\r\nDecrypted: b'CreateToolhelp32Snapshot'\r\nDecrypted: b'Process32FirstW'\r\nDecrypted: b'CloseHandle'\r\nDecrypted: b'Process32NextW'\r\nDecrypted: b'explorer.exe'\r\nDecrypted: b'OpenProcess'\r\nDecrypted: b'CloseHandle'\r\nDecrypted: b'InitializeProcThreadAttributeList'\r\nDecrypted: b'InitializeProcThreadAttributeList'\r\nDecrypted: b'UpdateProcThreadAttribute'\r\nDecrypted: b'DeleteProcThreadAttributeList'\r\nDecrypted: b'NvtocV4e'\r\nDecrypted: b'UpdateProcThreadAttribute'\r\nDecrypted: b'InitializeProcThreadAttributeList'\r\nDecrypted: b'InitializeProcThreadAttributeList'\r\nDecrypted: b'UpdateProcThreadAttribute'\r\nDecrypted: b'CreateProcessW'\r\nDecrypted: b'DeleteProcThreadAttributeList'\r\nDecrypted: b'UpdateProcThreadAttribute'\r\nDecrypted: b'IsWow64Process'\r\nDecrypted: b'CreateToolhelp32Snapshot'\r\nDecrypted: b'Process32FirstW'\r\nDecrypted: b'['\r\nDecrypted: b'\"%s:%d:%d:%d:%d:%d:%d\"'\r\nDecrypted: b', \"%s:%d:%d:%d:%d:%d:%d\"'\r\nDecrypted: b']'\r\nDecrypted: b'wsprintfW'\r\nDecrypted: b'Process32NextW'\r\nDecrypted: b'wsprintfW'\r\nDecrypted: b'CloseHandle'\r\nDecrypted: b'CloseHandle'\r\nDecrypted: b'wsprintfW'\r\nDecrypted: b'wsprintfW'\r\nDecrypted: b'CreatePipe'\r\nDecrypted: b'CreateProcessW'\r\nDecrypted: b'CloseHandle'\r\nDecrypted: b'CloseHandle'\r\nhttps://research.openanalysis.net/pikabot/debugging/string%20decryption/emulation/memulator/2023/11/19/new-pikabot-strings.html\r\nPage 4 of 6\n\nDecrypted: b'CloseHandle'\r\nDecrypted: b'CloseHandle'\r\nDecrypted: b'CloseHandle'\r\nDecrypted: b'CloseHandle'\r\nDecrypted: b'WaitForSingleObject'\r\nDecrypted: b'PeekNamedPipe'\r\nDecrypted: b'ReadFile'\r\nDecrypted: b'CloseHandle'\r\nDecrypted: b'CloseHandle'\r\nDecrypted: b'CloseHandle'\r\nDecrypted: b'\u0026'\r\nDecrypted: b'NvtocV4e'\r\nDecrypted: b'{\"mdPNC6f8\": \"%s\", \"isjuuMr\": \"%s\", \"MsDkQb2T\": %s}'\r\nDecrypted: b'wsprintfA'\r\nDecrypted: b'nanoinstructionFrisesomorum/XjqtQzQyycNZVoIQ?unapplicability=i73MV07GwaCH13Q'\r\nDecrypted: b'BaylZ'\r\nDecrypted: b'ExpandEnvironmentStringsW'\r\nDecrypted: b'\u0026'\r\nDecrypted: b'{\"mdPNC6f8\": \"%s\", \"isjuuMr\": \"%s\", \"MsDkQb2T\": %s}'\r\nDecrypted: b'wsprintfA'\r\nDecrypted: b'nanoinstructionFrisesomorum/XjqtQzQyycNZVoIQ?unapplicability=i73MV07GwaCH13Q'\r\nDecrypted: b'BaylZ'\r\nDecrypted: b'ExpandEnvironmentStringsW'\r\nDecrypted: b'{\"mdPNC6f8\": \"%s\", \"isjuuMr\": \"%s\", \"MsDkQb2T\": %s}'\r\nDecrypted: b'wsprintfA'\r\nDecrypted: b'nanoinstructionFrisesomorum/XjqtQzQyycNZVoIQ?unapplicability=i73MV07GwaCH13Q'\r\nDecrypted: b'\u0026'\r\nDecrypted: b'qqmyS'\r\nDecrypted: b'tK5nVvwh'\r\nDecrypted: b'mGTYP'\r\nDecrypted: b'2bjHya'\r\nDecrypted: b'whoami.exe /all'\r\nDecrypted: b'ipconfig.exe /all'\r\nDecrypted: b'netstat.exe -aon'\r\nDecrypted: b'\u0026'\r\nDecrypted: b'dLmghDRe'\r\nDecrypted: b'ExitProcess'\r\nDecrypted: b'\u0026'\r\nDecrypted: b'\u0026'\r\nDecrypted: b'bustlingly/e9vliMRRWKSd?DeediestBromes=awIAh8S\u0026bonaght=5vh1psTtP2mk9\u0026stiltyKetohexose=jc\r\nDecrypted: b'Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run'\r\nDecrypted: b'Synanthic'\r\nDecrypted: b'rundll32'\r\nDecrypted: b'.dll'\r\nDecrypted: b'wsprintfW'\r\nDecrypted: b'.exe'\r\nDecrypted: b'wsprintfW'\r\nhttps://research.openanalysis.net/pikabot/debugging/string%20decryption/emulation/memulator/2023/11/19/new-pikabot-strings.html\r\nPage 5 of 6\n\nDecrypted: b'\u0026'\r\nDecrypted: b'HxTPXf'\r\nDecrypted: b'yAJsnWxR'\r\nDecrypted: b'4qRRArO'\r\nDecrypted: b'NvtocV4e'\r\nDecrypted: b'qo9g3J'\r\nDecrypted: b'GhPTR'\r\nDecrypted: b'dLmghDRe'\r\nDecrypted: b'9PpreQMX'\r\nDecrypted: b'pKW7fqi2'\r\nRejected:\r\nb'{F542086F-F5EF-48C4-8B12-49ED805B0205}'\r\nb'0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz/=+'\r\nb'l9SpFBoXEyglbY0ginoTUBd=pP=y6rVcQG8tP/zV4iqr06yZKEb+VCg1yQJ5jUNE'\r\nb'FdbAwsDj0FJcgkLPb1J/mqGU7T6e98p9CMnoB'\r\nb'\\x19\u003cjcy]X\\r]'\r\nb'1.1.15-ghost'\r\nb'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'\r\nb'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'\r\nb'%s \"%s%s%s\", %s'\r\nb'lJK\\x03\\x190'\r\n{'strings': [{'offset': 5621, 'value': 'CreateMutexW'}, {'offset': 6224, 'value': 'GetLastError'}, {\r\nSource: https://research.openanalysis.net/pikabot/debugging/string%20decryption/emulation/memulator/2023/11/19/new-pikabot-strings.html\r\nhttps://research.openanalysis.net/pikabot/debugging/string%20decryption/emulation/memulator/2023/11/19/new-pikabot-strings.html\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://research.openanalysis.net/pikabot/debugging/string%20decryption/emulation/memulator/2023/11/19/new-pikabot-strings.html"
	],
	"report_names": [
		"new-pikabot-strings.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775439049,
	"ts_updated_at": 1775826758,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ba82d1f820b2e81f3e994832ead21774acd85f74.pdf",
		"text": "https://archive.orkl.eu/ba82d1f820b2e81f3e994832ead21774acd85f74.txt",
		"img": "https://archive.orkl.eu/ba82d1f820b2e81f3e994832ead21774acd85f74.jpg"
	}
}