kernel32|0x0|0x1e4e54d6|LoadLibraryA kernel32|0x4|0xea9ae187|LoadLibraryW kernel32|0x8|0xfbe7cad4|FreeLibrary kernel32|0xc|0xe8f3f6a4|GetProcAddress kernel32|0x10|0x90098c2b|GetModuleHandleA kernel32|0x14|0xe07c512d|CreateToolhelp32Snapshot kernel32|0x18|0x1906f55b|Module32First kernel32|0x1c|0xd71ef109|Module32Next kernel32|0x20|0x6ed77e75|WriteProcessMemory kernel32|0x24|0xfea8b810|OpenProcess kernel32|0x28|0x4ac7c978|VirtualFreeEx kernel32|0x2c|0xc1d7521e|WaitForSingleObject kernel32|0x30|0x911cfcaf|CloseHandle kernel32|0x34|0x1f871ed0|LocalFree kernel32|0x38|0x7d0a851c|CreateProcessW kernel32|0x3c|0xd6484719|ReadProcessMemory kernel32|0x40|0x7f318fe|Process32First kernel32|0x44|0x23013c9b|Process32Next kernel32|0x48|0xa018e917|Process32FirstW kernel32|0x4c|0x9de48ee4|Process32NextW kernel32|0x50|0xc7283607|CreateProcessAsUserW kernel32|0x54|0xc7a16b16|VirtualAllocEx kernel32|0x58|0x2841e411|VirtualAlloc kernel32|0x5c|0x99db6fa4|OpenThread kernel32|0x60|0xea38c5a6|Wow64DisableWow64FsRedirection kernel32|0x64|0x812beb54|Wow64EnableWow64FsRedirection kernel32|0x68|0xf4a2ae11|GetVolumeInformationW kernel32|0x6c|0xfdfdd50|IsWow64Process kernel32|0x70|0xb1e5efeb|CreateThread kernel32|0x74|0x80600072|CreateFileW kernel32|0x78|0xf9a41fc1|FindClose kernel32|0x7c|0xe53b4016|GetFileAttributesW kernel32|0x80|0xce48032f|SetFilePointer kernel32|0x84|0xed66bf49|WriteFile kernel32|0x88|0x28d3ea8b|ReadFile kernel32|0x8c|0xf823cd08|CreateMutexA kernel32|0x90|0x6606f84|ReleaseMutex kernel32|0x94|0x1f8f8221|FindResourceA kernel32|0x98|0xe2961379|SizeofResource kernel32|0x9c|0xb3704174|LoadResource kernel32|0xa0|0x70f00653|GetTickCount64 kernel32|0xa4|0x73e1e496|ExpandEnvironmentStringsW kernel32|0xa8|0x4511509a|GetThreadContext kernel32|0xac|0xfc74096f|SetLastError kernel32|0xb0|0x6fd898fc|GetComputerNameW kernel32|0xb4|0xef7d04f3|Sleep kernel32|0xb8|0xbe3df3c|SleepEx kernel32|0xbc|0x33ab25ed|OpenEventA kernel32|0xc0|0xea743c3c|SetEvent kernel32|0xc4|0x1b95a5a2|CreateEventA kernel32|0xc8|0x4fe73327|TerminateThread kernel32|0xcc|0xddb22047|QueryFullProcessImageNameW kernel32|0xd0|0x407f2133|CreateNamedPipeA kernel32|0xd4|0xa315ad21|ConnectNamedPipe kernel32|0xd8|0x3a3bd47b|GetLocalTime kernel32|0xdc|0x49f7e97|ExitProcess kernel32|0xe0|0xfadc8f02|GetEnvironmentVariableW kernel32|0xe4|0x78577859|GetExitCodeThread kernel32|0xe8|0x8674a83e|GetFileSize kernel32|0xec|0x31898674|VirtualProtect kernel32|0xf0|0x7c97ed48|VirtualProtectEx kernel32|0xf4|0xde0f654b|CreateRemoteThread kernel32|0xf8|0xfbf2a8dd|SetEnvironmentVariableW kernel32|0xfc|0x19fd57e2|ResumeThread kernel32|0x100|0x8acf56d6|TerminateProcess kernel32|0x104|0xb0f9be3a|AddVectoredExceptionHandler kernel32|0x108|0x44c037c1|DeleteFileW kernel32|0x10c|0xd4c28093|CopyFileW ntdll|0x0|0x805bb02f|RtlAllocateHeap ntdll|0x4|0x8e9e557f|RtlFreeHeap ntdll|0x8|0x95eae1ee|RtlGetVersion ntdll|0xc|0xbf61a2db|NtCreateSection ntdll|0x10|0xb1c7d6ad|NtUnmapViewOfSection ntdll|0x14|0x8599d7e7|NtMapViewOfSection ntdll|0x18|0xc5087062|NtWriteVirtualMemory ntdll|0x1c|0x7da2f3cc|NtProtectVirtualMemory ntdll|0x20|0x2c862e0b|NtClose ntdll|0x24|0x70140470|ZwQueryInformationThread user32|0x0|0x76a2b4d5|MessageBoxA user32|0x4|0x62d58950|EnumWindows user32|0x8|0x188e70f2|RegisterClassExA user32|0xc|0x1358738e|CreateWindowExA user32|0x10|0xab1d3718|ChangeWindowMessageFilter user32|0x14|0x6a139e20|ShowWindow user32|0x18|0x5faac056|UpdateWindow user32|0x1c|0xa07bfb1f|GetMessageA user32|0x20|0x7c56274f|TranslateMessage user32|0x24|0x802bcf15|DispatchMessageA user32|0x28|0xe8b8cf18|DestroyWindow user32|0x2c|0xe9d0e538|UnregisterClassA user32|0x30|0x1718ada0|PostQuitMessage user32|0x34|0x5e99386f|DefWindowProcA user32|0x38|0xf23dce7a|GetKeyboardLayoutList user32|0x3c|0x2449a7f9|GetSystemMetrics netapi32|0x0|0xa0c95f2a|NetShareEnum netapi32|0x4|0xc012f392|NetUserEnum netapi32|0x8|0xabb9021e|NetWkstaGetInfo netapi32|0xc|0xe7901946|NetApiBufferFree netapi32|0x10|0x333904ac|NetGetDCName netapi32|0x14|0xfee8abf3|NetGetJoinInformation advapi32|0x0|0xc41f1eae|SetFileSecurityW advapi32|0x4|0x2c6c0c94|AdjustTokenPrivileges advapi32|0x8|0x69ed2e46|SetEntriesInAclA advapi32|0xc|0xe6bc918d|AllocateAndInitializeSid advapi32|0x10|0x10e2c0e6|FreeSid advapi32|0x14|0xe0b59388|RegOpenKeyExA advapi32|0x18|0x91b644a5|RegQueryValueExA advapi32|0x1c|0x88a6e86e|RegCloseKey advapi32|0x20|0x39f71fe6|ConvertSidToStringSidA advapi32|0x24|0xac6fd99a|RegCreateKeyA advapi32|0x28|0x6e8242c2|RegSetValueExA advapi32|0x2c|0xc03b29c8|RegLoadKeyW advapi32|0x30|0xe08294b9|RegUnLoadKeyW advapi32|0x34|0x539cb258|OpenSCManagerW advapi32|0x38|0xcdc8017|CreateServiceW advapi32|0x3c|0xa03b78ee|StartServiceW advapi32|0x40|0x836c401|DeleteService advapi32|0x44|0x51fa2684|CloseServiceHandle advapi32|0x48|0x89cdc7fe|CryptAcquireContextA advapi32|0x4c|0xfeb641b7|CryptCreateHash advapi32|0x50|0xe76c684b|CryptHashData advapi32|0x54|0xc64cdb6b|CryptVerifySignatureA advapi32|0x58|0x89cfd395|CryptReleaseContext advapi32|0x5c|0xcc75ccd8|CryptDestroyKey advapi32|0x60|0x2beb28bb|CryptDestroyHash advapi32|0x64|0x71984e56|EqualSid advapi32|0x68|0x6ab818b3|LookupAccountSidW shlwapi|0x0|0x2d322141|StrStrIA shlwapi|0x4|0xd9e69410|StrStrIW shlwapi|0x8|0x9793cfe9|StrCmpIW shlwapi|0xc|0x7f204b72|PathCombineA shlwapi|0x10|0x8bf4fe23|PathCombineW shlwapi|0x14|0x8a259dd0|PathMatchSpecA shlwapi|0x18|0x7ef12881|PathMatchSpecW shlwapi|0x1c|0xf949dc44|PathUnquoteSpacesW shlwapi|0x20|0xaf36baeb|StrTrimW shlwapi|0x24|0x681900c|StrCmpNIA shlwapi|0x28|0xdf398694|StrStrW shell32|0x0|0x3e274882|ShellExecuteW shell32|0x4|0xe6eac264|SHGetFolderPathW wininet|0x0|0xfb994166|InternetOpenA wininet|0x4|0x20eaecbb|InternetOpenUrlA wininet|0x8|0xc496f47f|InternetCloseHandle wininet|0xc|0x233ad4fd|HttpQueryInfoA wininet|0x10|0x4d4f71ae|InternetReadFile wininet|0x14|0x6bd555b5|InternetSetOptionA wininet|0x18|0xe4c07c03|InternetQueryOptionA wininet|0x1c|0xe3c04caf|InternetConnectA wininet|0x20|0x65f2e130|HttpOpenRequestA wininet|0x24|0xde8f58ad|HttpSendRequestA wininet|0x28|0xabfb76fc|InternetCrackUrlA wininet|0x2c|0xa607f795|InternetWriteFile wininet|0x30|0xcb2040c8|InternetGetLastResponseInfoA wininet|0x34|0x14c03cc8|InternetSetStatusCallback wininet|0x38|0xd7ee61ac|HttpQueryInfoW wininet|0x3c|0x37cc637b|HttpAddRequestHeadersA wininet|0x40|0x2af0657c|InternetGetCookieA wininet|0x44|0xbfa9a791|InternetGetCookieExA wininet|0x48|0x1014c952|InternetQueryOptionW wininet|0x4c|0x5d2ac7e4|DeleteUrlCacheEntryW wininet|0x50|0x6f2e59a|GetUrlCacheEntryInfoW urlmon|0x0|0x9838e545|ObtainUserAgentString crypt32|0x0|0x2b62dde5|CryptDecodeObjectEx crypt32|0x4|0x8a69a0bd|CryptImportPublicKeyInfo wtsapi32|0x0|0xddff0d68|WTSQueryUserToken wtsapi32|0x4|0x253fa681|WTSQuerySessionInformationW wtsapi32|0x8|0x78dad9b6|WTSEnumerateSessionsW wtsapi32|0xc|0xd454852f|WTSFreeMemory