hasherezade/pony_strings.txt Secret

## pony_strings.txt
Appendix to:
https://blog.malwarebytes.org
captured and filtered by: hasherezade
---
----
//visited sited:
----
http://windowsupdate.microsoft.com/update
http://forgedforce.com/images/wp/wp.php
http://marionainteriors.com/wordpress/wp-includes/images/wp/wp.php
http://interceptlabs.com/wp/wp-includes/images/wp/wp.php
http://encodesoftware.co.uk/images/smileys/wp/wp.php
http://handydiscount.co.uk/image/wp/wp.php
---
// common passwords list
---
123456
password
phpbb
qwerty
12345
jesus
12345678
1234
abc123
letmein
test
love
password1
hello
monkey
dragon
trustno1
111111
iloveyou
1234567
shadow
123456789
christ
sunshine
master
computer
princess
tigger
football
angel
jesus1
123123
whatever
freedom
killer
asdf
soccer
superman
michael
cheese
internet
joshua
fuckyou
blessed
baseball
starwars
000000
purple
jordan
faith
summer
ashley
buster
heaven
pepper
7777777
hunter
lovely
andrew
thomas
angels
charlie
daniel
1111
jennifer
single
hannah
qazwsx
happy
matrix
pass
aaaaaa
654321
amanda
nothing
ginger
mother
snoopy
jessica
welcome
pokemon
iloveyou1
11111
mustang
helpme
justin
jasmine
orange
testing
apple
michelle
peace
secret
grace
william
iloveyou2
nicole
666666
muffin
gateway
fuckyou1
asshole
hahaha
poop
blessing
blahblah
myspace1
matthew
canada
silver
robert
forever
asdfgh
rachel
rainbow
guitar
peanut
batman
cookie
bailey
soccer1
mickey
biteme
hello1
eminem
dakota
samantha
compaq
diamond
taylor
forum
john316
richard
blink182
peaches
cool
flower
scooter
banana
james
asdfasdf
victory
london
123qwe
123321
startrek
george
winner
maggie
trinity
online
123abc
chicken
junior
chris
passw0rd
austin
sparky
admin
merlin
google
friends
hope
shalom
nintendo
looking
harley
smokey
7777
joseph
lucky
digital
thunder
spirit
bandit
enter
anthony
corvette
hockey
power
benjamin
iloveyou!
1q2w3e
viper
genesis
knight
qwerty1
creative
foobar
adidas
rotimi
slayer
wisdom
praise
zxcvbnm
samuel
mike
dallas
green
testtest
maverick
onelove
david
mylove
church
friend
destiny
none
microsoft
222222
bubbles
11111111
cocacola
jordan23
ilovegod
football1
loving
nathan
emmanuel
scooby
fuckoff
sammy
maxwell
jason
john
1q2w3e4r
baby
red123
blabla
prince
qwert
chelsea
55555
angel1
hardcore
dexter
saved
112233
hallo
jasper
danielle
kitten
cassie
stella
prayer
hotdog
windows
mustdie
gates
billgates
ghbdtn
gfhjkm
1234567890
---
// known Pony artefact:
---
YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0
MODU
---
// registry key:
---
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
UninstallString
DisplayName
.exe
---
// writes a registry key, faking WinRAR:
---
Software\WinRAR
open
---
// loaded modules and functions:
---
kernel32.dll
WTSGetActiveConsoleSessionId
ProcessIdToSessionId
netapi32.dll
NetApiBufferFree
NetUserEnum
ole32.dll
StgOpenStorage
advapi32.dll
AllocateAndInitializeSid
CheckTokenMembership
FreeSid
CredEnumerateA
CredFree
CryptGetUserKey
CryptExportKey
CryptDestroyKey
CryptReleaseContext
RevertToSelf
OpenProcessToken
ImpersonateLoggedOnUser
GetTokenInformation
ConvertSidToStringSidA
LogonUserA
LookupPrivilegeValueA
AdjustTokenPrivileges
CreateProcessAsUserA
crypt32.dll
CryptUnprotectData
CertOpenSystemStoreA
CertEnumCertificatesInStore
CertCloseStore
CryptAcquireCertificatePrivateKey
msi.dll
MsiGetComponentPathA
pstorec.dll
PStoreCreateInstance
userenv.dll
CreateEnvironmentBlock
DestroyEnvironmentBlock
shell32.dll
SHGetFolderPathA
---
// searched folders:
---
My Documents
AppData
Local AppData
Cache
Cookies
History
My Documents
Common AppData
My Pictures
Common Documents
Common Administrative Tools
Administrative Tools
Personal
---
// registry key
---
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
---
// searched process:
---
explorer.exe
---
// searched prefix of SID
---
S-1-5-18
---
// loaded functions:
---
SeImpersonatePrivilege
SeTcbPrivilege
SeChangeNotifyPrivilege
SeCreateTokenPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeIncreaseQuotaPrivilege
SeAssignPrimaryTokenPrivilege
---
// for the network communication:
---
POST %s HTTP/1.0
Host: %s
Accept: */*
Accept-Encoding: identity, *;q=0
Content-Length: %lu
Connection: close
Content-Type: application/octet-stream
Content-Encoding: binary
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
Content-Length:
Location:
GET %s HTTP/1.0
Host: %s
Accept: */*
Accept-Encoding: identity, *;q=0
Connection: close
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
\*.*
HWID
{%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}
GetNativeSystemInfo
kernel32.dll
IsWow64Process
\NetSarang
.xfp
Client Hash
STATUS-IMPORT-OK
%d.exe
%02X
true
---
// related to the bash script for deleting the file:
---
%d.bat
      "%s"
ShellExecuteA
	   :ktk
     del    	 %1
	if  		 exist 	   %1  	  goto
 ktk
 del 	  %0
---
// loaded functions and modules
---
shell32.dll
CreateFileA
ReadFile
CloseHandle
WriteFile
lstrlenA
GlobalLock
GlobalUnlock
LocalFree
LocalAlloc
GetTickCount
lstrcpyA
lstrcatA
GetFileAttributesA
ExpandEnvironmentStringsA
GetFileSize
CreateFileMappingA
MapViewOfFile
UnmapViewOfFile
LoadLibraryA
GetProcAddress
GetTempPathA
CreateDirectoryA
DeleteFileA
GetCurrentProcess
WideCharToMultiByte
GetLastError
lstrcmpA
CreateToolhelp32Snapshot
Process32First
OpenProcess
Process32Next
FindFirstFileA
lstrcmpiA
FindNextFileA
FindClose
GetModuleHandleA
GetVersionExA
GetLocaleInfoA
GetSystemInfo
Sleep
GetModuleFileNameA
LCMapStringA
ExitProcess
SetUnhandledExceptionFilter
kernel32.dll
CreateStreamOnHGlobal
GetHGlobalFromStream
CoCreateGuid
OleInitialize
ole32.dll
wsprintfA
user32.dll
RegOpenKeyExA
RegQueryValueExA
RegCloseKey
RegOpenKeyA
RegEnumKeyExA
RegCreateKeyA
RegSetValueExA
IsTextUnicode
RegOpenCurrentUser
GetUserNameA
advapi32.dll
ShellExecuteA
shell32.dll
InternetCrackUrlA
InternetCreateUrlA
wininet.dll
StrStrIA
StrRChrIA
StrToIntA
shlwapi.dll
inet_addr
gethostbyname
socket
connect
closesocket
send
select
recv
setsockopt
WSAStartup
wsock32.dll
LoadUserProfileA
UnloadUserProfile
userenv.dll
	Appendix to:
	https://blog.malwarebytes.org
	captured and filtered by: hasherezade
	---
	----
	//visited sited:
	----
	http://windowsupdate.microsoft.com/update
	http://forgedforce.com/images/wp/wp.php
	http://marionainteriors.com/wordpress/wp-includes/images/wp/wp.php
	http://interceptlabs.com/wp/wp-includes/images/wp/wp.php
	http://encodesoftware.co.uk/images/smileys/wp/wp.php
	http://handydiscount.co.uk/image/wp/wp.php
	---
	// common passwords list
	---
	123456
	password
	phpbb
	qwerty
	12345
	jesus
	12345678
	1234
	abc123
	letmein
	test
	love
	password1
	hello
	monkey
	dragon
	trustno1
	111111
	iloveyou
	1234567
	shadow
	123456789
	christ
	sunshine
	master
	computer
	princess
	tigger
	football
	angel
	jesus1
	123123
	whatever
	freedom
	killer
	asdf
	soccer
	superman
	michael
	cheese
	internet
	joshua
	fuckyou
	blessed
	baseball
	starwars
	000000
	purple
	jordan
	faith
	summer
	ashley
	buster
	heaven
	pepper
	7777777
	hunter
	lovely
	andrew
	thomas
	angels
	charlie
	daniel
	1111
	jennifer
	single
	hannah
	qazwsx
	happy
	matrix
	pass
	aaaaaa
	654321
	amanda
	nothing
	ginger
	mother
	snoopy
	jessica
	welcome
	pokemon
	iloveyou1
	11111
	mustang
	helpme
	justin
	jasmine
	orange
	testing
	apple
	michelle
	peace
	secret
	grace
	william
	iloveyou2
	nicole
	666666
	muffin
	gateway
	fuckyou1
	asshole
	hahaha
	poop
	blessing
	blahblah
	myspace1
	matthew
	canada
	silver
	robert
	forever
	asdfgh
	rachel
	rainbow
	guitar
	peanut
	batman
	cookie
	bailey
	soccer1
	mickey
	biteme
	hello1
	eminem
	dakota
	samantha
	compaq
	diamond
	taylor
	forum
	john316
	richard
	blink182
	peaches
	cool
	flower
	scooter
	banana
	james
	asdfasdf
	victory
	london
	123qwe
	123321
	startrek
	george
	winner
	maggie
	trinity
	online
	123abc
	chicken
	junior
	chris
	passw0rd
	austin
	sparky
	admin
	merlin
	google
	friends
	hope
	shalom
	nintendo
	looking
	harley
	smokey
	7777
	joseph
	lucky
	digital
	thunder
	spirit
	bandit
	enter
	anthony
	corvette
	hockey
	power
	benjamin
	iloveyou!
	1q2w3e
	viper
	genesis
	knight
	qwerty1
	creative
	foobar
	adidas
	rotimi
	slayer
	wisdom
	praise
	zxcvbnm
	samuel
	mike
	dallas
	green
	testtest
	maverick
	onelove
	david
	mylove
	church
	friend
	destiny
	none
	microsoft
	222222
	bubbles
	11111111
	cocacola
	jordan23
	ilovegod
	football1
	loving
	nathan
	emmanuel
	scooby
	fuckoff
	sammy
	maxwell
	jason
	john
	1q2w3e4r
	baby
	red123
	blabla
	prince
	qwert
	chelsea
	55555
	angel1
	hardcore
	dexter
	saved
	112233
	hallo
	jasper
	danielle
	kitten
	cassie
	stella
	prayer
	hotdog
	windows
	mustdie
	gates
	billgates
	ghbdtn
	gfhjkm
	1234567890
	---
	// known Pony artefact:
	---
	YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0
	MODU
	---
	// registry key:
	---
	SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
	UninstallString
	DisplayName
	.exe
	---
	// writes a registry key, faking WinRAR:
	---
	Software\WinRAR
	open
	---
	// loaded modules and functions:
	---
	kernel32.dll
	WTSGetActiveConsoleSessionId
	ProcessIdToSessionId
	netapi32.dll
	NetApiBufferFree
	NetUserEnum
	ole32.dll
	StgOpenStorage
	advapi32.dll
	AllocateAndInitializeSid
	CheckTokenMembership
	FreeSid
	CredEnumerateA
	CredFree
	CryptGetUserKey
	CryptExportKey
	CryptDestroyKey
	CryptReleaseContext
	RevertToSelf
	OpenProcessToken
	ImpersonateLoggedOnUser
	GetTokenInformation
	ConvertSidToStringSidA
	LogonUserA
	LookupPrivilegeValueA
	AdjustTokenPrivileges
	CreateProcessAsUserA
	crypt32.dll
	CryptUnprotectData
	CertOpenSystemStoreA
	CertEnumCertificatesInStore
	CertCloseStore
	CryptAcquireCertificatePrivateKey
	msi.dll
	MsiGetComponentPathA
	pstorec.dll
	PStoreCreateInstance
	userenv.dll
	CreateEnvironmentBlock
	DestroyEnvironmentBlock
	shell32.dll
	SHGetFolderPathA
	---
	// searched folders:
	---
	My Documents
	AppData
	Local AppData
	Cache
	Cookies
	History
	My Documents
	Common AppData
	My Pictures
	Common Documents
	Common Administrative Tools
	Administrative Tools
	Personal
	---
	// registry key
	---
	Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
	---
	// searched process:
	---
	explorer.exe
	---
	// searched prefix of SID
	---
	S-1-5-18
	---
	// loaded functions:
	---
	SeImpersonatePrivilege
	SeTcbPrivilege
	SeChangeNotifyPrivilege
	SeCreateTokenPrivilege
	SeBackupPrivilege
	SeRestorePrivilege
	SeIncreaseQuotaPrivilege
	SeAssignPrimaryTokenPrivilege
	---
	// for the network communication:
	---
	POST %s HTTP/1.0
	Host: %s
	Accept: /
	Accept-Encoding: identity, *;q=0
	Content-Length: %lu
	Connection: close
	Content-Type: application/octet-stream
	Content-Encoding: binary
	User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
	Content-Length:
	Location:
	GET %s HTTP/1.0
	Host: %s
	Accept: /
	Accept-Encoding: identity, *;q=0
	Connection: close
	User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
	\.
	HWID
	{%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}
	GetNativeSystemInfo
	kernel32.dll
	IsWow64Process
	\NetSarang
	.xfp
	Client Hash
	STATUS-IMPORT-OK
	%d.exe
	%02X
	true
	---
	// related to the bash script for deleting the file:
	---
	%d.bat
	"%s"
	ShellExecuteA
	:ktk
	del %1
	if exist %1 goto
	ktk
	del %0
	---
	// loaded functions and modules
	---
	shell32.dll
	CreateFileA
	ReadFile
	CloseHandle
	WriteFile
	lstrlenA
	GlobalLock
	GlobalUnlock
	LocalFree
	LocalAlloc
	GetTickCount
	lstrcpyA
	lstrcatA
	GetFileAttributesA
	ExpandEnvironmentStringsA
	GetFileSize
	CreateFileMappingA
	MapViewOfFile
	UnmapViewOfFile
	LoadLibraryA
	GetProcAddress
	GetTempPathA
	CreateDirectoryA
	DeleteFileA
	GetCurrentProcess
	WideCharToMultiByte
	GetLastError
	lstrcmpA
	CreateToolhelp32Snapshot
	Process32First
	OpenProcess
	Process32Next
	FindFirstFileA
	lstrcmpiA
	FindNextFileA
	FindClose
	GetModuleHandleA
	GetVersionExA
	GetLocaleInfoA
	GetSystemInfo
	Sleep
	GetModuleFileNameA
	LCMapStringA
	ExitProcess
	SetUnhandledExceptionFilter
	kernel32.dll
	CreateStreamOnHGlobal
	GetHGlobalFromStream
	CoCreateGuid
	OleInitialize
	ole32.dll
	wsprintfA
	user32.dll
	RegOpenKeyExA
	RegQueryValueExA
	RegCloseKey
	RegOpenKeyA
	RegEnumKeyExA
	RegCreateKeyA
	RegSetValueExA
	IsTextUnicode
	RegOpenCurrentUser
	GetUserNameA
	advapi32.dll
	ShellExecuteA
	shell32.dll
	InternetCrackUrlA
	InternetCreateUrlA
	wininet.dll
	StrStrIA
	StrRChrIA
	StrToIntA
	shlwapi.dll
	inet_addr
	gethostbyname
	socket
	connect
	closesocket
	send
	select
	recv
	setsockopt
	WSAStartup
	wsock32.dll
	LoadUserProfileA
	UnloadUserProfile
	userenv.dll