Ukrainian SCADA Malware Strings Dump

QueryPerformanceCounter
0)A
PSAPI.DLL
@0A
XbA
Cb@
ShellExecuteW
USER32.DLL
GetLengthSid
C-r-e-a-t-e-S-e-r-v-i-c-e-W-
new[]
p-l-i-c-a-t-i-o-n- -S-e-r-v-i-c-e- -M-a-n-a-g-e-r-
8VA
Tue
October
Fri
wsprintfW
delete
`virtual displacement map'
ccs=
SetUnhandledExceptionFilter
IsDebuggerPresent
Unknown exception
C-o-n-t-r-o-l-S-e-r-v-i-c-e-
GetLocaleInfoA
GetDriveTypeA
.crt.bin.exe.db.dbf.pdf.djvu.doc.docx.xls.xlsx.jar.ppt.pptx.tib.vhd.iso.lib.mdb.accdb.sql.mdf.xml.rtf.ini.cfg.boot.txt.rar.msi.zip.jpg.bmp.jpeg.tiff
runtime error
SetSecurityDescriptorDacl
TerminateThread
CreateFileA
W-r-i-t-e-F-i-l-e-
DOMAIN error
open
GetLastActivePopup
O-p-e-n-S-e-r-v-i-c-e-W-
TlsAlloc
HeapAlloc
$*A
ADVAPI32.dll
April
A-d-j-u-s-t-T-o-k-e-n-P-r-i-v-i-l-e-g-e-s-
__stdcall
35DPA
GetCommandLineW
This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.
<<=
%c:\
Friday
GetTempPathW
ntfs
h,A
December
\PA
.-d-l-l-
stem32\icacls.exe
__clrcall
USER32.dll
\1A
R-e-g-S-e-t-V-a-l-u-e-E-x-W-
`udt returning'
%08X.tmp
__fastcall
GetCPInfo
`string'
`vector destructor iterator'
`managed vector constructor iterator'
0	A
D$4
3Hw
`eh vector copy constructor iterator'
GetStdHandle
L%A
l-l-.-d-l-l-
InitializeCriticalSection
GetShortPathNameW
ExitWindowsEx
JanFebMarAprMayJunJulAugSepOctNovDec
Sun
OpenEventW
Complete Object Locator'
GetLastError
GetEnvironmentVariableW
F-8
h)A
Process32NextW
GetModuleHandleW
$0A
h%A
November
DeleteFileW
@1A
`eh vector constructor iterator'
x1A
Thu
R6019
- unable to open console device
FreeEnvironmentStringsA
oolsv.exe
GetModuleBaseNameW
GetACP
dddd, MMMM dd, yyyy
<*A
llA
\*A
PA
G-e-t-C-u-r-r-e-n-t-P-r-o-c-e-s-s-
KERNEL32.DLL
R6024
- not enough space for _onexit/atexit table
Sunday
S-t-a-r-t-S-e-r-v-i-c-e-C-t-r-l-D-i-s-p-a-t-c-h-e-r-W-
CreateProcessW
g.exe
*.*
Jun
CryptCATAdminEnumCatalogFromHash
b-r-a-r-y-W-
.dll.exe.xml.ttf.nfo.fon.ini.cfg.boot.jar
N-t-Q-u-e-r-y-S-y-s-t-e-m-T-i-m-e-
January
GetCurrentProcessId
T)A
|)A
SetStdHandle
$1A
Tuesday
TlsGetValue
gf@
q<*v
GetVersionExA
TLOSS error
auclt.exe
GetEnvironmentStrings
R6030
- CRT not initialized
p(A
FindClose
`vector vbase constructor iterator'
`managed vector copy constructor iterator'
xlA
S-t-a-r-t-S-e-r-v-i-c-e-W-
P'A
GetCurrentThreadId
GetFileType
\)A
Nov
SetHandleCount
CloseHandle
`omni callsig'
p,A
GetActiveWindow
GetStartupInfoW
Saturday
C-l-o-s-e-S-e-r-v-i-c-e-H-a-n-d-l-e-
R6009
- not enough space for environment
ive%d
nhost.exe
/c format %c: /Y /X /FS:NTFS
TlsSetValue
KERNEL32.dll
FlsGetValue
R6016
- not enough space for thread data
CryptCATCatalogInfoFromContext
t0A
X'A
GetStringTypeW
Wed
GetOEMCP
R6031
- Attempt to initialize the CRT more than once.
This indicates a bug in your application.
R-e-g-D-e-l-e-t-e-K-e-y-W-
Base Class Array'
RtlUnwind
`local vftable'
Process32FirstW
LocalAlloc
R6018
- unexpected heap error
SetFilePointerEx
=%06d=.tmp
DecodePointer
GetFileAttributesW
Jf=.
Jan
SeDebugPrivilege
R-e-g-i-s-t-e-r-S-e-r-v-i-c-e-C-t-r-l-H-a-n-d-l-e-r-W-
CreateToolhelp32Snapshot
`vector deleting destructor'
R6026
- not enough space for stdio initialization
fat16
__restrict
`copy constructor closure'
Runtime Error!

Program:
LoadLibraryA
D*A
GetProcAddress
YGw
`vbtable'
<program name unknown>
__cdecl
P]A
HH:mm:ss
hDPA
GetEnvironmentStringsW
wevtutil clear-log System
September
vice
x,A
HeapSize
WriteConsoleA
_service
VirtualAlloc
G-e-t-T-o-k-e-n-I-n-f-o-r-m-a-t-i-o-n-
delete[]
FlsSetValue
HeapFree
4@A
GetStringTypeA
Base Class Descriptor at (
GetVolumeInformationW
m.exe
O-p-e-n-S-C-M-a-n-a-g-e-r-W-
|>A
OpenProcess
0(A
CreateThread
GetTickCount
|'A
SetFilePointer
__unaligned
exe
...
CorExitProcess
GetConsoleMode
^]@
CreateFileW
`local static thread guard'
HeapDestroy
GetWindowsDirectoryW
GetConsoleOutputCP
\0A
DeleteCriticalSection
/c copy %ls %ls
ExitProcess
HeapReAlloc
f=\
$)A
WriteConsoleW
P*A
GetVersionExW
`vector constructor iterator'
GetStartupInfoA
/P:1
`vbase destructor'
MM/dd/yy
util clear-log Application
8%A
FlsAlloc
f-t-A-p-p-l-i-c-a-t-i-o-n-M-g-r-
May
D-e-l-e-t-e-S-e-r-v-i-c-e-
LoadLibraryW
GetModuleFileNameExW
D$0j
O-p-e-n-P-r-o-c-e-s-s-
smss.exe
FlushFileBuffers
lsm.exe
F-16LE
FindFirstFileW
hlA
WaitForMultipleObjects
LCMapStringA
C-r-e-a-t-e-F-i-l-e-W-
plA
0*A
OpenProcessToken
MultiByteToWideChar
Microsoft Visual C++ Runtime Library
Wow64FsRedirection
`vftable'
GetCurrentProcess
L-o-o-k-u-p-P-r-i-v-i-l-e-g-e-N-a-m-e-W-
R-e-g-Q-u-e-r-y-V-a-l-u-e-E-x-W-
`dynamic initializer for '
`scalar deleting destructor'
`vcall'
June
>>=
LCMapStringW
February
(null)
SetLastError
WaitForSingleObject
/c format %c: /Y /Q
InterlockedIncrement
lsass.exe
`dynamic atexit destructor for '
|%A
CONOUT$
!b@
T&A
t.exe
UnhandledExceptionFilter
Mon
SetNamedSecurityInfoW
nit.exe
operator
s.exe
__based(
__pascal
t)A
$eA
ym@
Sat
P	A
R-e-g-C-l-o-s-e-K-e-y-
w-s-p-r-i-n-t-f-W-
Oct
wevtutil clear-log Setup
__ptr64
.exe
SHELL32.dll
GetConsoleCP
4'A
IsValidSid
R6027
- not enough space for lowio initialization
DeviceIoControl
copy %ls %ls
H)A
R-e-g-O-p-e-n-K-e-y-E-x-W-
Jul
t,A
->*
HeapCreate
MessageBoxA
SING error
/c sc create
Asec_service.exe
Monday
WinExec
ReadFile
`eh vector vbase copy constructor iterator'
GetCommandLineA
GetTokenInformation
August
LocalFree
GetModuleHandleA
R6008
- not enough space for arguments
CreateEventW
R6025
- pure virtual function call
`eh vector destructor iterator'
EnterCriticalSection
`placement delete closure'
type= own start= auto displayname= "
R-t-l-T-i-m-e-T-o-S-e-c-o-n-d-s-S-i-n-c-e-1-9-7-0-
XPA
GetDriveTypeW
XlA
dlA
R-e-g-C-r-e-a-t-e-K-e-y-E-x-W-
`	A
@	A
Sf@
GetProcessHeap
SetEndOfFile
vssadmin delete shadows /all /quiet
Jl@
`EH
L(A
Type Descriptor'
SetEvent
/C /Q /grant
Apr
R6032
- not enough space for locale information
FreeEnvironmentStringsW
FlsFree
A
x)A
S-e-t-S-e-r-v-i-c-e-S-t-a-t-u-s-
l-3-2-.-d-l-l-
`eh vector vbase constructor iterator'
;
DPA
DPA
@?A
O-p-e-n-P-r-o-c-e-s-s-T-o-k-e-n-
p	A
ogon.exe
`vector vbase copy constructor iterator'
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
</assembly>
VirtualFree
R6002
- floating point not loaded
R6017
- unexpected multithread lock error
R6033
- Attempt to use MSIL code from this assembly during native code initialization
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
taskhost.exe
GetProcessWindowStation
R-e-a-d-F-i-l-e-
new
CryptCATAdminReleaseContext
CopySid
`local vftable constructor closure'
l,A
GetUserObjectInformationA
LeaveCriticalSection
SysWow64
`vector copy constructor iterator'
InitializeSecurityDescriptor
\lA
GetModuleFileNameW
jjj
July
D'A
C-l-o-s-e-H-a-n-d-l-e-
WideCharToMultiByte
X>A
8PE
__thiscall
EncodePointer
SunMonTueWedThuFriSat
WriteFile
L-o-o-k-u-p-A-c-c-o-u-n-t-S-i-d-W-
Feb
Wintrust.dll
Sleep
bad allocation
`typeof'
InterlockedDecrement
services.exe
%08X.exe
h*A
l>A
Dec
R6028
- unable to initialize heap
InitializeCriticalSectionAndSpinCount
allocation
RaiseException
CryptCATAdminAcquireContext
`default constructor closure'
Aug
`managed vector destructor iterator'
GetSystemTimeAsFileTime
`h````
`local static guard'
Thursday
wevtutil clear-log Security
Class Hierarchy Descriptor'
ODE
FindNextFileW
GetModuleFileNameA
GetLogicalDrives
C	w^A	w
hFromFileHandle
csrss.exe
/c del /F /S /Q %c:\*.*
er.exe
R6034
An application has made an attempt to load the C runtime library incorrectly.
Please contact the application's support team for more information.
`placement delete[] closure'
Wednesday
mscoree.dll
wn.exe
March
TlsFree
`RTTI
Mar
t*A
Sep
kernel32.dll
TerminateProcess