Analysis Date2014-02-22 02:36:34
MD5311521c43b0601b136d8601976e54382
SHA1680d9dc921b18c4ca8c60ad4e62b6f5f388972a3

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: a3d925a7dd3b927dda6e92c046c59d86 sha1: 1ad91faa907d7b67ce55c3c06610ccebe85e2dcd size: 219136
Section.data md5: 0c5298720d0922985230fcebf45feacb sha1: 6597a1f85881a629e8ad0512bb34e4d0ebdf3581 size: 6656
Section.rsrc md5: e86398dba0191456aaac41550d509e93 sha1: 7d70379f4e3ea6d577c72e60c5950b9e6cd755bc size: 1024
Section.mjg md5: c8a1040f129ee25facf1b363c8a57fcb sha1: a44b6288d05baccccb3a865cc36d3b9db52d15a5 size: 1536
Timestamp2009-02-06 10:09:58
Pdb pathWmiPrvSE.pdb
VersionLegalCopyright: © Microsoft Corporation. All rights reserved.
InternalName: Wmiprvse.exe
FileVersion: 5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
CompanyName: Microsoft Corporation
ProductName: Microsoft® Windows® Operating System
ProductVersion: 5.1.2600.5755
FileDescription: WMI
OriginalFilename: Wmiprvse.exe
PackerAHTeam EP Protector 0.3 (fake PCGuard 4.03-4.15) -> FEUERRADER
PEhashd3ee9d6d47c6100534f41c3836f317f803b5fca4
IMPhash0283c5bd148e842274e478b66a025bd0
AVavgWin32/Parite
AVclamavHeuristics.W32.Parite.B
AVaviraW32/Parite
AVmsseVirus:Win32/Parite.B
AVmcafeeW32/Pate.b

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\uca1.tmp

Network Details:


Raw Pcap

Strings

040904B0
{0725C3CB-FEFB-11d0-99F9-00C04FC2F8EC}
{266c72d4-62e8-11d1-ad89-00c04fd8fdff}
{266c72e6-62e8-11d1-ad89-00c04fd8fdff}
{29F06F0C-FB7F-44A5-83CD-D41705D5C525}
{405595AA-1E14-11d3-B33D-00105A1F4AAF}
{405595AB-1E14-11d3-B33D-00105A1F4AAF}
5.1.2600.5755
5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
{72967901-68EC-11d0-B729-00AA0062CBB7}
{74E3B84C-C7BE-4e0a-9BD2-853CA72CD435}
{7879E40D-9FB5-450a-8A6D-00C89F349FCE}
{7F598975-37E0-4a67-A992-116680F0CEDA}
{9877D8A7-FDA1-43F9-AEEA-F90747EA66B0}
{A3A16907-227B-11d3-865D-00C04F63049B}
{A83EF168-CA8D-11d2-B33D-00104BCC4B4A}
{AD1B46E8-0AAC-401b-A3B8-FCDCF8186F55}
\advapi32.dll
apartment
AppId
APPID\
AppIDFlags
{B3FF88A4-96EC-4cc1-983F-72BE0EBB368B}
{BE0A9830-2B8B-11d1-A949-0060181EBBAD}
both
Both
{C486ABD2-27F6-11d3-865E-00C04F63049B}
CacheRefreshInterval
__Class
__CLASS
ClassContext
__ClassProviderRegistration
ClearAfter
ClientLoadableCLSID
CLSID
CLSID\
CompanyName
ConcurrentIndependantRequests
CreateClassEnumAsync
CreateInstanceEnumAsync
CreationTime
{D2D588B5-D081-11d0-99E0-00C04FC2F8EC}
{D6C74FF3-3DCD-4c23-9F58-DD86F371EC73}
Decoupled:Com
Decoupled:Com:
Decoupled:NonCom
DefaultLocalServiceHost
DefaultLocalSystemHost
DefaultMachineName
DefaultNetworkServiceHost
DefaultRpcStackSize
DefaultSecuredHost
DefaultUserHost
DeleteClassAsync
DeleteInstanceAsync
Description
Dynamic
DynProps
Enabled
__EventConsumerProviderRegistration
__EventProviderCacheControl
__EventProviderCacheControl=@
__EventProviderRegistration
ExecMethodAsync
ExecQueryAsync
__ExtendedStatus
{F0FF8EBB-F14D-4369-BD2E-D84FBF6122D6}
{FA77A74E-E109-11D0-AD6E-00C04FD8FDFF}
FALSE
{FD18A1B2-9E61-4e8e-8501-DB0B07846396}
{FE9AF5C0-D3B6-11CE-A5B6-00AA00680C3F}
FileDescription
FileVersion
FoldIdentity
free
__GET_EXT_CLIENT_REQUEST
__GET_EXTENSIONS
__GET_EXT_KEYS_ONLY
__GET_EXT_PROPERTIES
GetObjectAsync
Global\Wmi Provider Sub System Counters
Global\WmiProviderSubSystemHostJob
HandlesPerHost
hNamespace!s! Provider!s! User!s! Locale!s! TransactionIdentifier!s! QueryId!u! QueryLanguage!s! Query!s! Result!u!
HostingGroup
HostingModel
HostProcessIdentifier
ignored
ImpersonationLevel
InitializationReentrancy
InitializationTimeoutInterval
InitializeAsAdminFirst
InprocServer32
InProcServer32
Installed
InstanceContext
__InstanceProviderRegistration
InteractionType
InternalName
KERBEROS:
LaunchPermission
LegalCopyright
Locale
LocalServer32
LocalServiceHost
LocalSystemHost
LocalSystemHostOrSelfHost
Lower
MarshaledProxy
MemoryAllHosts
MemoryPerHost
__MethodProviderRegistration
Microsoft
Microsoft Corporation
 Microsoft Corporation. All rights reserved.
Microsoft WMI Provider Subsystem Host
Microsoft WMI Provider Subsystem Secured Host
Mmscoree.dll
Msft_Providers
Msft_WmiProvider_AccessCheck_Post
Msft_WmiProvider_AccessCheck_Pre
Msft_WmiProvider_CancelQuery_Post
Msft_WmiProvider_CancelQuery_Pre
Msft_WmiProvider_ComServerLoadOperationEvent
Msft_WmiProvider_ComServerOperationFailureEvent
Msft_WmiProvider_CreateClassEnumAsyncEvent_Post
Msft_WmiProvider_CreateClassEnumAsyncEvent_Pre
Msft_WmiProvider_CreateInstanceEnumAsyncEvent_Post
Msft_WmiProvider_CreateInstanceEnumAsyncEvent_Pre
Msft_WmiProvider_DeleteClassAsyncEvent_Post
Msft_WmiProvider_DeleteClassAsyncEvent_Pre
Msft_WmiProvider_DeleteInstanceAsyncEvent_Post
Msft_WmiProvider_DeleteInstanceAsyncEvent_Pre
Msft_WmiProvider_ExecMethodAsyncEvent_Post
Msft_WmiProvider_ExecMethodAsyncEvent_Pre
Msft_WmiProvider_ExecNotificationQueryAsyncEvent_Post
Msft_WmiProvider_ExecNotificationQueryAsyncEvent_Pre
Msft_WmiProvider_ExecQueryAsyncEvent_Post
Msft_WmiProvider_ExecQueryAsyncEvent_Pre
Msft_WmiProvider_GetObjectAsyncEvent_Post
Msft_WmiProvider_GetObjectAsyncEvent_Pre
Msft_WmiProvider_InitializationOperationEvent
Msft_WmiProvider_InitializationOperationFailureEvent
Msft_WmiProvider_LoadOperationEvent
Msft_WmiProvider_LoadOperationFailureEvent
Msft_WmiProvider_NewQuery_Post
Msft_WmiProvider_NewQuery_Pre
Msft_WmiProvider_ProvideEvents_Post
Msft_WmiProvider_ProvideEvents_Pre
Msft_WmiProvider_PutClassAsyncEvent_Post
Msft_WmiProvider_PutClassAsyncEvent_Pre
Msft_WmiProvider_PutInstanceAsyncEvent_Post
Msft_WmiProvider_PutInstanceAsyncEvent_Pre
Msft_WmiProvider_UnLoadOperationEvent
Name
__NAMESPACE
Namespace!s! Provider!s! User!s! Locale!s! TransactionIdentifier!s!
Namespace!s! Provider!s! User!s! Locale!s! TransactionIdentifier!s! Clsid!s! ServerName!s! InProcServer!b! LocalServer!b! InProcServerPath!s! LocalServerPath!s!
Namespace!s! Provider!s! User!s! Locale!s! TransactionIdentifier!s! Clsid!s! ServerName!s! InProcServer!b! LocalServer!b! InProcServerPath!s! LocalServerPath!s! ResultCode!u!
Namespace!s! Provider!s! User!s! Locale!s! TransactionIdentifier!s! Clsid!s! ServerName!s! InProcServer!b! LocalServer!b! InProcServerPath!s! LocalServerPath!s! ThreadingModel!u! Synchronisation!u!
Namespace!s! Provider!s! User!s! Locale!s! TransactionIdentifier!s! Clsid!s! ServerName!s! InProcServer!b! LocalServer!b! InProcServerPath!s! LocalServerPath!s! ThreadingModel!u! Synchronisation!u! ResultCode!u!
Namespace!s! Provider!s! User!s! Locale!s! TransactionIdentifier!s! Flags!u!
Namespace!s! Provider!s! User!s! Locale!s! TransactionIdentifier!s! Flags!u! ClassName!s!
Namespace!s! Provider!s! User!s! Locale!s! TransactionIdentifier!s! Flags!u! ClassName!s! ResultCode!u! StringParameter!s! ObjectParameter!O!
Namespace!s! Provider!s! User!s! Locale!s! TransactionIdentifier!s! Flags!u! ClassObject!O!
Namespace!s! Provider!s! User!s! Locale!s! TransactionIdentifier!s! Flags!u! ClassObject!O! ResultCode!u! StringParameter!s! ObjectParameter!O!
Namespace!s! Provider!s! User!s! Locale!s! TransactionIdentifier!s! Flags!u! InstanceObject!O!
Namespace!s! Provider!s! User!s! Locale!s! TransactionIdentifier!s! Flags!u! InstanceObject!O! ResultCode!u! StringParameter!s! ObjectParameter!O!
Namespace!s! Provider!s! User!s! Locale!s! TransactionIdentifier!s! Flags!u! ObjectPath!s!
Namespace!s! Provider!s! User!s! Locale!s! TransactionIdentifier!s! Flags!u! ObjectPath!s! MethodName!s! InputParameters!O!
Namespace!s! Provider!s! User!s! Locale!s! TransactionIdentifier!s! Flags!u! ObjectPath!s! MethodName!s! InputParameters!O! ResultCode!u! StringParameter!s! ObjectParameter!O!
Namespace!s! Provider!s! User!s! Locale!s! TransactionIdentifier!s! Flags!u! ObjectPath!s! ResultCode!u! StringParameter!s! ObjectParameter!O!
Namespace!s! Provider!s! User!s! Locale!s! TransactionIdentifier!s! Flags!u! QueryLanguage!s! Query!s!
Namespace!s! Provider!s! User!s! Locale!s! TransactionIdentifier!s! Flags!u! QueryLanguage!s! Query!s! ResultCode!u! StringParameter!s! ObjectParameter!O!
Namespace!s! Provider!s! User!s! Locale!s! TransactionIdentifier!s! Flags!u! Result!u!
Namespace!s! Provider!s! User!s! Locale!s! TransactionIdentifier!s! Flags!u! SuperclassName!s!
Namespace!s! Provider!s! User!s! Locale!s! TransactionIdentifier!s! Flags!u! SuperclassName!s! ResultCode!u! StringParameter!s! ObjectParameter!O!
Namespace!s! Provider!s! User!s! Locale!s! TransactionIdentifier!s! QueryId!u!
Namespace!s! Provider!s! User!s! Locale!s! TransactionIdentifier!s! QueryId!u! QueryLanguage!s! Query!s!
Namespace!s! Provider!s! User!s! Locale!s! TransactionIdentifier!s! QueryId!u! Result!u!
Namespace!s! Provider!s! User!s! Locale!s! TransactionIdentifier!s! QueryLanguage!s! Query!s! Sid!c[]!
Namespace!s! Provider!s! User!s! Locale!s! TransactionIdentifier!s! QueryLanguage!s! Query!s! Sid!c[]! Result!u!
Namespace!s! Provider!s! User!s! Locale!s! TransactionIdentifier!s! ResultCode!u!
NetworkServiceHost
neutral
none
NotInsertable
NTLMDOMAIN:
__ObjectProviderCacheControl
__ObjectProviderCacheControl=@
 Operating System
Operation
OperationTimeoutInterval
OriginalFilename
ParameterInfo
PerLocaleInitialization
PerUserInitialization
PerUserSchema
ProcessIdentifier
ProcessLimitAllHosts
ProductName
ProductVersion
PropertyContext
__PropertyProviderRegistration
Provider
__ProviderHostQuotaConfiguration=@
ProviderOperation_AccessCheck
ProviderOperation_CancelQuery
ProviderOperation_CreateClassEnumAsync
ProviderOperation_CreateInstanceEnumAsync
ProviderOperation_CreateRefreshableEnum
ProviderOperation_CreateRefreshableObject
ProviderOperation_CreateRefresher
ProviderOperation_DeleteClassAsync
ProviderOperation_DeleteInstanceAsync
ProviderOperation_ExecMethodAsync
ProviderOperation_ExecNotificationQueryAsync
ProviderOperation_ExecQueryAsync
ProviderOperation_FindConsumer
ProviderOperation_GetObjectAsync
ProviderOperation_GetObjects
ProviderOperation_GetProperty
ProviderOperation_NewQuery
ProviderOperation_ProvideEvents
ProviderOperation_PutClassAsync
ProviderOperation_PutInstanceAsync
ProviderOperation_PutProperty
ProviderOperation_QueryInstances
ProviderOperation_SetRegistrationObject
ProviderOperation_StopRefreshing
ProviderOperation_ValidateSubscription
ProviderSubSystem
Provider Subsystem Error Report
Pull
Pure
Push
PushVerify
PutClassAsync
PutInstanceAsync
QuerySupportLevels
ReferencedSetQueries
references of {__Win32Provider.Name="
/RegServer
__RELPATH
required
requiresnew
ResultSetQueries
ReSynchroniseOnNamespaceOpen
Root
root\cimv2
Scope
-secured
SecurityDescriptor
Select * from __EventProviderCacheControl
Select * from __ObjectProviderCacheControl
Select * from __ProviderHostQuotaConfiguration
Select * from __Win32Provider Where Name = "
SelfHost
Sink Transmit Buffer Size
Software\Microsoft\Wbem\Cimom
Software\Microsoft\WBEM\CIMOM
SOFTWARE\Microsoft\WBEM\CIMOM\CompatibleHostProviders
SOFTWARE\Microsoft\WBEM\CIMOM\SecuredHostProviders
Software\Microsoft\WBEM\Providers\Configuration\
Software\Microsoft\Wbem\Transports\Decoupled
Software\Microsoft\Wbem\Transports\Decoupled\Client
Software\Microsoft\Wbem\Transports\Decoupled\Server
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB956572
%s\%s
StatusCode
StringFileInfo
__SUPERCLASS
supported
SupportsBatching
SupportsDelete
SupportsEnumeration
SupportsGet
SupportsPut
SupportsQuotas
SupportsSendStatus
SupportsShutdown
SupportsThrottling
SupportsTransactions
Synchronization
__THIS
ThreadingModel
ThreadsPerHost
Translation
TRUE
UnloadTimeout
/UnRegServer
UnSupportedQueries
Upper
User
UserHost
VarFileInfo
Version
VS_VERSION_INFO
__Win32Provider.Name="
 Windows
WinMgmt
WmiCore
WmiCoreOrSelfHost
Wmi Provider Host
Wmiprvse.exe
WQL:Associators
WQL:References
WQL:UnarySelect
WQL:V1ProviderDefined
|09](t?j
(0fjN 
~!0fl"
0g/^PP
0n{i*U
0!>o$E
0)S~t@{
;0uto`,f>
$+`0}X
0 x%HL
1bSu,N$
??1type_info@@UAE@XZ
1uq@E.
+1YH(3
$[2DC[.
2dIRmJ4
(2K%^W
~2L6`*2$P
2;nwxa;<
$3MU'M
3_s~q0
40eg m
41^C`)
-44-:a
44KVDk
~49~4u
4?9EDu@
^49]$t
$4 ?A3
4%AS([5
4&C	rhd
{4_;"H
4%&h[&P
"4&)"$t
4;YD&|
5?8z0E
5D(TSH
5=IMD$
5LH^-r
!@5-O/
;5p)%!
5=[ sy
*5'{Yx
6DULH*
]6?Kw0$
6PMt<X
6pWm9w
6qS9lU
6=Re2^S
,6-S3X
6T<{bk
6~?!vZv
6Xsmws
77{(,m
7fp/L}h
7;Plto40
-[7sx~
^@'_)8
 @	87]( ;
8+C.&(
;8$CDE
@%.8jl
;%8mw\"'7
8P!4E(
8+[S8G
:#8TvG
<94\L6
!96T(~
9Dlv4_
@9F,uL
,=9F x%y
|9ggYT
\:9g&p
9\nQ^Z
9t;@qU
9t+Znis n
9:u6B;
9~,vFj
9^XWt&3
	9yP2+
A2|/}l
AccessCheck
_acmdln
AddAce
_adjust_fdiv
AdjustTokenPrivileges
ADVAPI32.dll
AEKJ`CfxN
A?lj''`
AllocateAndInitializeSid
am'[jU
-,aO:%
?/aOl{!
aR8%oTg
.a*tMb
.?AUIClassFactory@@
.?AUInternal_IWbemEventConsumerProvider@@
.?AUInternal_IWbemEventConsumerProviderEx@@
.?AUInternal_IWbemEventProvider@@
.?AUInternal_IWbemEventProviderQuerySink@@
.?AUInternal_IWbemEventProviderSecurity@@
.?AUInternal_IWbemPropertyProvider@@
.?AUInternal_IWbemServices@@
.?AUInternal_IWbemUnboundObjectSink@@
.?AUInternal_IWmiProviderConfiguration@@
.?AUIUnknown@@
.?AUIWbemEventConsumerProvider@@
.?AUIWbemEventConsumerProviderEx@@
.?AUIWbemEventProvider@@
.?AUIWbemEventProviderQuerySink@@
.?AUIWbemEventProviderSecurity@@
.?AUIWbemHiPerfProvider@@
.?AUIWbemObjectSink@@
.?AUIWbemPropertyProvider@@
.?AUIWbemProviderIdentity@@
.?AUIWbemProviderInit@@
.?AUIWbemProviderInitSink@@
.?AU_IWbemRefresherMgr@@
.?AUIWbemRefreshingServices@@
.?AUIWbemServices@@
.?AUIWbemShutdown@@
.?AUIWbemUnboundObjectSink@@
.?AU_IWmiProviderConfiguration@@
.?AU_IWmiProviderFactory@@
.?AU_IWmiProviderFactoryInitialize@@
.?AU_IWmiProviderHost@@
.?AU_IWmiProviderInitialize@@
.?AU_IWmiProviderQuota@@
.?AU_IWmiProviderSite@@
.?AVCCommon_Batching_IWbemSyncObjectSink@@
.?AVCCommon_IWbemSyncObjectSink@@
.?AVCInterceptor_IWbemProviderInitSink@@
.?AVCInterceptor_IWbemServices_Interceptor@@
.?AVCInterceptor_IWbemServices_RestrictingInterceptor@@
.?AVCInterceptor_IWbemSyncObjectSink@@
.?AVCInterceptor_IWbemSyncObjectSink_CreateClassEnumAsync@@
.?AVCInterceptor_IWbemSyncObjectSink_CreateInstanceEnumAsync@@
.?AVCInterceptor_IWbemSyncObjectSink_DeleteClassAsync@@
.?AVCInterceptor_IWbemSyncObjectSink_DeleteInstanceAsync@@
.?AVCInterceptor_IWbemSyncObjectSink_ExecMethodAsync@@
.?AVCInterceptor_IWbemSyncObjectSink_ExecQueryAsync@@
.?AVCInterceptor_IWbemSyncObjectSink_GetObjectAsync@@
.?AVCInterceptor_IWbemSyncObjectSink_PutClassAsync@@
.?AVCInterceptor_IWbemSyncObjectSink_PutInstanceAsync@@
.?AVCInterceptor_IWbemSyncProvider@@
.?AVCInterceptor_IWbemSyncUnboundObjectSink@@
.?AV?$CServerClassFactory@VCServerObject_Host@@U_IWmiProviderHost@@@@
.?AVCServerObject_Host@@
.?AVCServerObject_ProviderInitSink@@
.?AVCServerObject_ProviderRefresherManager@@
.?AVCServerObject_RawFactory@@
.?AVCServerObject_StaThread@@
.?AVCWbemDateTime@@
.?AVCX_Exception@@
.?AVCX_MemoryException@@
.?AVFactoryLifeTimeThread@@
.?AVHostController@@
.?AVQueryPreprocessor@@
.?AVRefresherManagerController@@
.?AVStaTask_Create@@
.?AVTask_FreeLibraries@@
.?AVTask_ObjectDestruction@@
.?AVWmiAndNode@@
.?AV?$WmiCacheController@PAX@@
.?AV?$WmiCacheController@VHostCacheKey@@@@
.?AV?$WmiContainerController@K@@
.?AV?$WmiContainerController@PAX@@
.?AV?$WmiContainerController@U_GUID@@@@
.?AVWmiContainerElement@?$WmiContainerController@PAX@@
.?AVWmiContainerElement@?$WmiContainerController@U_GUID@@@@
.?AVWmi_Heap_Exception@@
.?AVWmiNotNode@@
.?AVWmiNullRangeNode@@
.?AVWmiOperatorEqualNode@@
.?AVWmiOperatorEqualOrGreaterNode@@
.?AVWmiOperatorEqualOrLessNode@@
.?AVWmiOperatorGreaterNode@@
.?AVWmiOperatorIsANode@@
.?AVWmiOperatorLessNode@@
.?AVWmiOperatorLikeNode@@
.?AVWmiOperatorNode@@
.?AVWmiOperatorNotEqualNode@@
.?AVWmiOperatorNotIsANode@@
.?AVWmiOperatorNotLikeNode@@
.?AVWmiOrNode@@
.?AVWmiRangeNode@@
.?AVWmiSignedIntegerRangeNode@@
.?AVWmiStringNode@@
.?AVWmiStringRangeNode@@
.?AVWmi_Structured_Exception@@
.?AV?$WmiTask@K@@
.?AV?$WmiThread@K@@
.?AVWmiTreeNode@@
.?AVWmiUnsignedIntegerRangeNode@@
.?AVWmiValueNode@@
A+|	W%C
aW<Tm48
_BdU\	
bfBCY>
b>gqeG#0
BQ)xH8
< c.['
c]1FD\
CA5s)4
\cA{C7
*CbuN$SbTx!Y|
cD8>(k
CD,|*OG
_cexit
_c_exit
/C ,g_
ChangeTimerQueueTimer
   CheckInterfaceConformance for %S hr = %08x
ch|p8$f(,
C,i~^b
        CInterceptor_IWbemSyncUnboundObjectSink->QI hr = %08x
CloseHandle
CLSIDFromString
CoCreateGuid
CoCreateInstance
CoEEShutDownCOM
CoFreeUnusedLibrariesEx
CoGetCallContext
CoGetClassObject
    CoGetClassObject(%S,%08x) hr = %08x
CoGetInterfaceAndReleaseStream
CoImpersonateClient
CoInitializeEx
CoInitializeSecurity
CoMarshalInterThreadInterfaceInStream
CompareStringW
_controlfp
ConvertStringSecurityDescriptorToSecurityDescriptorW
CopySid
CoRegisterClassObject
CoRevertToSelf
CoRevokeClassObject
CorExitProcess
CoSwitchCallContext
CoUninitialize
~coz0a
(@`c<PH
|!"*CR
CreateEventW
CreateFileMappingW
    CreateServerSide hosting %d
    CreateSyncProvider hr = %08x
CreateThread
CreateWindowExW
  CServerObject_RawFactory::GetNonApartmentProvider pNS %S hr = %08x
- CServerObject_RawFactory::GetProvider hr = %08x
+ CServerObject_RawFactory::GetProvider %S
cxE#Xb
__CxxFrameHandler
_CxxThrowException
'Cy}<q
;/D8$/
D87A D
d)dl(#a
DebugBreak
?DebugTrace@@YAHDPBDZZ
DefWindowProcW
 >D=eI
DeleteCriticalSection
DeleteMenu
Den[!1
DeregisterEventSource
DestroyWindow
Dh}- Bs
Dhh+>|!
DispatchMessageW
__dllonexit
dn2gpX*
DNzO:y
DqMS@[
D&td1&
d	~{=tK
DuplicateHandle
Dx#ORD
`e/3s*
E82+;[WOE
""E;/ !/[?D
e*>d[90H
eEJ^c[
eE>XZ8&
e	#h_F
\`eK44L
;`eKtWr
 %.}El
;E	l7H
English
EnterCriticalSection
 eObu+
E;%o[E
E_oXD\
?ErrorTrace@@YAHDPBDZZ
eR^x$J
:\esg<|l"
.et9n*
_except_handler3
E&ZA,5
}}f;&#
f^@(2>&
F49~4u2WW
F4u WW
fA{,Me
FastProx.dll
FCP.]}
F(;F$s
fHWPdg
.Fkv=K
]fm/UcEG
,+\FOu
fR=B*v9
FreeLibrary
FreeSid
F;W"`[
F WWWWWWj
g>("9S
 G`bX<
&G$c+>
&"G{c<M3*D-
GetAclInformation
GetCommandLineW
GetCurrentProcess
GetCurrentProcessId
GetCurrentThread
GetCurrentThreadId
GetLastError
GetLengthSid
__getmainargs
GetMessageW
GetModuleFileNameW
GetModuleHandleA
GetModuleHandleW
GetProcAddress
GetProcessHeap
GetSecurityDescriptorLength
GetStartupInfoA
GetStringTypeExW
GetSystemDirectoryW
GetSystemMenu
GetSystemTimeAsFileTime
GetTickCount
GetTokenInformation
GetVersionExW
G]	hJV
ghSpd_C]
g}|""	I
gJDkRUW$
g<K2Lx
@gM9n"
Gm{W0?
GOg[?E
*gP\#:
$gpp~gSP
<:GQ:	
GS)8ND
&}GVu1CB
g&%*xDpa
GXj]},
-&H;-%\
h,6	W>
H 91tD
h`<9l]
HeapAlloc
HeapCreate
HeapDestroy
HeapFree
h[K/d1
Hk[%$sU
hodx+P
$hO*O4
   Hosting %d InProcServer %d
H `sUQYk
<+hsUV!
H\%!T0
*H>UMm
h{vhmOw
hY1G[X
I)0}7g
- .i3C9
i`7aR@
#Ibu#/
    IClassFactory::CreateInstance hr = %08x
IcyI.:asw
IDkW72l
\?I':E
i}[ Fn
i"Fp?-
ifs7ly
I^@GfF
|IiB;Pxey
ImpersonateLoggedOnUser
InitializeAcl
InitializeCriticalSectionAndSpinCount
InitializeSecurityDescriptor
       InitializeServerProvider(%p) returned hr = %08x
_initterm
InterlockedCompareExchange
InterlockedDecrement
InterlockedExchange
InterlockedIncrement
Ip;Q_8
"Ir@b7* D/
ivI&%a
I!"VR+
I~W`9P
jI<<=E
J&IhB$@i
{Jl\T8}
^=$]JM
'#JmH#
jSS[*~
j=Vc*<
j}XPIfa@*
&#jY,XX
KB>#y	<
KDcCd[
KERNEL32.dll
K+f?ySw-[?
KGZ#u8X	
 K+H T
k[}i@\
&[^k)j
k:jwd_
k lbo/$
kOhd)d0
'K@;Xw
Ky2_CH
kzO2	3G
L\A4"0
L^C&fF
l:Chm`#
LCMapStringW
LeaveCriticalSection
_L(}`-jC
LMwMC(
LoadCursorW
LoadIconW
LoadLibraryA
LoadLibraryW
LocalFree
LogonUserExExW
lOJ};+
lstrcmpiW
lstrlenW
/LvcU@
L|[wd+(
LwX*~!D
LxZVBtR$
_M9Q"~
MakeAbsoluteSD
MakeSelfRelativeSD
MapGenericMask
MapViewOfFile
"*;mC\H
"mf%Bl
(M-fSQ
+mLo<H
]M&N.%S]
MsgWaitForMultipleObjects
MsgWaitForMultipleObjectsEx
msvcrt.dll
m /TS;
|mVz6S
N$`"[)
(;N3LX
+_Na1Cu
NBW!O9v
NCObjAPI.DLL
nE%,#W
?New@CWbemCallSecurity@@SGPAV1@XZ
<n"jHTe
?n@M)6
nq4W	o'r
:@?(nr
ntdll.dll
NtQuerySystemInformation
N=tY?k&
&&&Nw7
N WWPPj
N WWPWj
N WWPWWWWj
N WWWPWj
N WWWPWWj
o4]yU9A
o(5x@+
O:@[bvI`z
o"*H@a
ole32.dll
OLEAUT32.dll
O lp8+uB|/y
[om3b^
_onexit
OpenEventW
OpenFileMappingW
OpenProcessToken
OpenThreadToken
]O($T%
oU8t"^
ouh~DSh1
        %p = CInterceptor_IWbemSyncProvider(%p)
__p__commode
PeekMessageW
      (Per User) t_ProviderInit->Initialize hr = %08x
      (Per User) t_ProviderInitProxy->Initialize hr = %08x
__p__fmode
PG/@KX
ph[@Dm
PHXnsq
pJGtfoE
P@l_C`
(PN3EY
PN)`=G%
PostMessageW
`#p#ou
PPPPPPQ
{PQ`RA
PSSSSSSh 
PSSSSSSSj
PSSSSSSSSj
<p {T|
_P+tR-
_purecall
Pxs>hFY#
Q,.[_2
Q6BPKv
q6-ExJo
qBh=USM<
$QC.lYR
Q	dv/C
qF :Up;v-
      QI(IID_IWbemProviderIdentity) hr = %08x
      QI(IID_IWbemProviderInit) hr = %08x
Q#nf:*
qPe+SSA
QQSVj(3
QQSVW3
#~Q&S0
qtXch7
QueryPerformanceCounter
[Q VkQj^
,q. w6
>Q ?XW.L5
R6 ?|rp
r<aP<0gS
RegCloseKey
RegCreateKeyExW
RegDeleteKeyW
RegDisablePredefinedCache
RegisterClassW
RegisterEventSourceW
RegOpenKeyExW
RegQueryValueExW
RegSetValueExW
ReportEventW
RevertToSelf
Rhf|"Mjs
R"*Ia[P
*`Rich
|RJe22
r|mxbex
RpcMgmtSetServerStackSize
RPCRT4.dll
rPS^aH
RSDSCx
rS gHP
RSSSSSSVP
Rx'G+8
S[\3-5
< S%$5
s9^8tnWS
SAEolA
;Sa^#f
        ServerSideProvider->QI(IID_IWbemEventConsumerProviderEx ) hr = %08x
        ServerSideProvider->QI(IID_IWbemEventConsumerProvider) hr = %08x
        ServerSideProvider->QI(IID_IWbemEventProvider) hr = %08x
        ServerSideProvider->QI(IID_IWbemEventProviderQuerySink) hr = %08x
        ServerSideProvider->QI(IID_IWbemEventProviderSecurity) hr = %08x
        ServerSideProvider->QI(IID_IWbemHiPerfProvider) hr = %08x
        ServerSideProvider->QI(IID_IWbemPropertyProvider) hr = %08x
        ServerSideProvider->QI(IID_IWbemServices) hr = %08x
        ServerSideProvider->QI(IID_IWbemUnboundObjectSink) hr = %08x
__set_app_type
SetEvent
setlocale
SetSecurityDescriptorDacl
SetSecurityDescriptorGroup
SetSecurityDescriptorOwner
?_set_se_translator@@YAP6AXIPAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z
SetThreadToken
SetUnhandledExceptionFilter
__setusermatherr
ShowWindow
{SH	ph|+
(\si|]
s?k5)L
	Smpt%
[-Sn+2+
 S*N(l
sP	)ui
sQe8Hj
Sr]A]l
SRD'/AR`
~ss$14u
StringFromGUID2
]S/(W8
s;W>!8i
SwitchToThread
%$sY?K
	<*](^T
T4jYn)
t|4P^:
T6n>k+
TerminateProcess
?terminate@@YAXXZ
!This program cannot be run in DOS mode.
th$ oD
      t_InterceptorInit->Initialize hr = %08x
          t_Interceptor->QI hr = %08x
TlsAlloc
TlsFree
t"Ph`O
      t_ProviderInit->Initialize hr = %08x
      t_ProviderInitProxy->Initialize hr = %08x
T(?pU9 
TranslateMessage
tu*]+%
,#tV'#
tVc(u\C
t%Vh0N
T}wt^+ 
Tygu\B
tZ9^,vIW
tZEmw~lf
!{>_/u
/U!$&+
[_\U"^
u0VPRQ
U# ?3w
U6P0mS'B&]
u`9~$j<u*
u_9~$j<u)
%UAP&}
UcV./8
ue\G{2
uE,?:Ue
ugdFj)o
UI[7_$P
"uKM\8
u^lW+^
uM?3W;/
UnhandledExceptionFilter
UnmapViewOfFile
UnregisterClassW
UpdateWindow
u@(P	t}&
UQ^3- m
USER32.dll
@Ut4&~
uV9~$j<u-
u(vXg>
U}wSH<
uX*AbsB
)V4ASv
!V6&	4PH`
vaNYid
V&AS[D
Ve3[(tc
Vg'W48
V#h&UP
|!Vj@V
V;qgu4
VR+/_#
_vsnwprintf
V([Wr#
vy51]cM'lj
VYXHup
v*ZTy*1&&
w8l(lhW
W8S+ua
W!8Y,	
W<92`NT
@"W-$9OW
WaitForMultipleObjects
WaitForSingleObject
<w$A\w"l
wbemcomn.dll
W"BJc>F
_wcsicmp
wcslen
wcsncpy
wcstok
wcstol
wh@RP^`.
wLAZ~h
WmiCreateObjectWithFormat
WmiDestroyObject
WmiEventSourceConnect
WmiEventSourceDisconnect
WmiPrvSE.pdb
WmiSetAndCommitObject
<W|N`o
w|Q,l~
|)WSSj
WT/Cb!A
{w<'^V
WWPWWWWj
WWWPWj
WWWPWWj
WWWWWWPPQ
X*$ \{'
+x296P\
?x$,2+\l;
=xab+q
xB1lPY
X[]_bj
_XcptFilter
XD9@g]
X E)}^
XGe%L&
/xIDV0F
xJ<rX6
#XM*`8Y
xq+To'Tf
XT7=RP
@xW^C.
x*/wjhL P
Y|05-MP
Y>`&[5
Y6:IP18=>
Y9^Ht	
Y9^ht&3
Y9^`t&3
Yk'=b~
YL@I{|[,
]y nCB
y+OPa|
YSx`D`	
YTM0'w0
Yv@ld#L
^\>z 2
Z|\3 G
ZA-txjB
ZEQJ1S
ZGT*4[
 zi"CPac
zI?+Ou
Z<T.EOL
zvo;7Y
ZXnK]xnz
$z,YPq,
(Z*&yT
zZ6{L,