.rdata:10012230 0000000A C PSAPI.DLL .rdata:10012240 0000000C C WININET.dll .rdata:10012250 0000000C C SHLWAPI.dll .rdata:10012260 0000000C C gdiplus.dll .rdata:10012270 0000000A C nspr4.dll .rdata:10012280 0000000B C WS2_32.dll .rdata:10012290 0000000C C CRYPT32.dll .rdata:100122A0 0000000B C USER32.dll .rdata:100122B0 0000000A C GDI32.dll .rdata:100122C0 0000000D C ADVAPI32.dll .rdata:100122D0 0000000C C SHELL32.dll .rdata:100122E0 0000000A C ole32.dll .rdata:100122EC 00000015 C CreateProcessAsUserA .rdata:10012304 00000015 C CreateProcessAsUserW .rdata:1001231C 0000000D C advapi32.dll .rdata:1001232C 0000000F C CreateProcessA .rdata:1001233C 0000000F C CreateProcessW .rdata:1001234C 0000000D C kernel32.dll .rdata:1001235C 00000017 C NtProtectVirtualMemory .rdata:10012374 00000017 C LdrGetProcedureAddress .rdata:1001238C 0000000B C LdrLoadDll .rdata:10012398 0000000A C NTDLL.DLL .rdata:100123A4 00000015 C ZwWriteVirtualMemory .rdata:100123BC 00000017 C ZwProtectVirtualMemory .rdata:100123D4 00000010 C CryptGetUserKey .rdata:100123E4 0000000D C ADVAPI32.DLL .rdata:100123F4 00000005 C .pfx .rdata:1001240C 0000000C C AddressBook .rdata:10012418 00000009 C AuthRoot .rdata:10012424 00000015 C CertificateAuthority .rdata:1001243C 0000000B C Disallowed .rdata:10012448 00000005 C Root .rdata:10012450 0000000E C TrustedPeople .rdata:10012460 00000011 C TrustedPublisher .rdata:10012474 0000000B C start rbt\n .rdata:10012480 0000000F C adjust succes\n .rdata:10012490 0000000D C exit succes\n .rdata:100124A0 00000007 C \\\\.\\%s .rdata:100124A8 00000008 C %lu.exe .rdata:100124B0 0000002E C Software\\Microsoft\\Windows\\CurrentVersion\\Run .rdata:100124E4 00000010 C Sart Load DLL\r\n .rdata:100124F4 0000001D C Loading DLL: \"%s\" size: %d\r\n .rdata:10012514 00000012 C Start Write DLL\r\n .rdata:10012528 00000016 C DLL load status: %u\r\n .rdata:10012658 0000001C C Started Soccks status {%u\n} .rdata:10012674 00000014 C Get info status %u\n .rdata:10012688 00000017 C Command received \"%s\"\n .rdata:100126A0 0000000C C MakeScreen\n .rdata:100126AC 00000008 C FAILED\n .rdata:100126B4 0000000D C /t%s.php?%s= .rdata:100126C4 00000011 C 0123456789ABCDEF .rdata:100126D8 00000010 C 192.168.222.128 .rdata:100126E8 00000005 C form .rdata:100126F0 0000004B C /data.php?version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s .rdata:1001273C 00000007 C Client .rdata:10012744 00000005 C Main .rdata:1001274C 00000005 C FILE .rdata:10012758 0000007B C version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%08X&wake=%u&prjct=%d&arch=%u&inf=0&os=%u.%u.%u&guid=%u.%u.%u!%s!%08X .rdata:100127D8 0000000D C /c%s.php?%s= .rdata:100127E8 0000000B C CHROME.DLL .rdata:100127F4 0000000C C closesocket .rdata:10012800 00000008 C WSASend .rdata:10012808 00000008 C WSARecv .rdata:10012810 0000000B C WS2_32.DLL .rdata:1001281C 0000000F C LoadLibraryExW .rdata:1001282C 0000000D C KERNEL32.DLL .rdata:1001283C 00000007 C .rdata .rdata:10012848 00000006 C .text .rdata:10012854 00000009 C PR_Close .rdata:10012860 00000009 C PR_Write .rdata:1001286C 00000008 C PR_Read .rdata:10012874 0000000A C NSPR4.DLL .rdata:10012880 0000000A C nspr4.dll .rdata:1001289C 00000007 C Local\\ .rdata:100128A4 0000001B C .set DiskDirectory1=\"%s\"\r\n .rdata:100128C0 00000019 C .set CabinetName1=\"%s\"\r\n .rdata:100128DC 00000007 C \"%s\"\r\n .rdata:100128EC 0000001B C .set DestinationDir=\"%S\"\r\n .rdata:1001290C 00000007 C \"%S\"\r\n .rdata:10012914 00000014 C makecab.exe /F \"%s\" .rdata:10012928 0000000B C \\setup.inf .rdata:10012934 0000000B C \\setup.rpt .rdata:10012940 00000005 C \\*.* .rdata:10012948 0000001D C cmd /C \"systeminfo.exe > %s\" .rdata:10012968 0000001B C failed start sysinfo - %u\n .rdata:10012984 0000001D C cmd /C \"echo -------- >> %s\" .rdata:100129A4 00000021 C cmd /C \"tasklist.exe /SVC >> %s\" .rdata:100129C8 0000001C C failed start tasklist - %u\n .rdata:100129E4 0000001F C cmd /C \"driverquery.exe >> %s\" .rdata:10012A04 0000001A C failed start driver - %u\n .rdata:10012A20 0000005B C cmd /C \"reg.exe query \"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\" /s >> %s\" .rdata:10012A7C 00000015 C failed get reg - %u\n .rdata:10012A94 00000006 C Host: .rdata:10012A9C 0000000C C User-Agent: .rdata:10012AA8 00000010 C Content-Length: .rdata:10012AB8 00000013 C Transfer-Encoding: .rdata:10012ACC 00000017 C HttpAddRequestHeadersW .rdata:10012AE4 00000017 C HttpAddRequestHeadersA .rdata:10012AFC 0000000F C HttpQueryInfoW .rdata:10012B0C 0000000F C HttpQueryInfoA .rdata:10012B1C 00000011 C InternetConnectW .rdata:10012B30 00000011 C InternetConnectA .rdata:10012B44 0000001B C InternetQueryDataAvailable .rdata:10012B60 00000011 C HttpSendRequestW .rdata:10012B74 00000011 C HttpSendRequestA .rdata:10012B88 00000014 C InternetReadFileExW .rdata:10012B9C 00000014 C InternetReadFileExA .rdata:10012BB0 00000011 C InternetReadFile .rdata:10012BC4 0000000C C WININET.DLL .rdata:10012BD0 0000000C C WININET.dll .rdata:10012BDC 0000000A C text/html .rdata:10012BE8 00000006 C image .rdata:10012BF0 0000000A C Referer: .rdata:10012BFC 0000001A C URL: %s\r\nuser=%s\r\npass=%s .rdata:10012C18 0000000A C identity .rdata:10012C24 00000011 C Accept-Encoding: .rdata:10012C38 00000005 C \t\r\n .rdata:10012C44 0000001F C {%08X-%04X-%04X-%04X-%08X%04X} .rdata:10012C64 00000008 C http:// .rdata:10012C6C 00000009 C https:// .rdata:10012C90 00000011 C %08x%08x%08x%08x .rdata:10012CA4 00000005 C @ID@ .rdata:10012CB0 00000008 C @GROUP@ .rdata:10012CB8 00000007 C grabs= .rdata:10012CC0 00000008 C NEWGRAB .rdata:10012CC8 0000000B C SCREENSHOT .rdata:10012CD4 00000008 C PROCESS .rdata:10012CDC 00000007 C HIDDEN .rdata:10012CE4 00000005 C @%s@ .rdata:10012CEC 00000005 C http .rdata:10012CF4 00000005 C POST .rdata:10012CFC 0000000A C URL: %s\r\n .rdata:10012D08 0000000C C ExitProcess .rdata:10012D14 00000010 C %02u:%02u:%02u .rdata:10012D24 00000008 C /fp %lu .rdata:10012D2C 00000005 C %x\r\n .rdata:10012D34 00000017 C Content-Length: %u\r\n\r\n .rdata:10012D4C 00000005 C \r\n\r\n .rdata:10012D54 0000000E C Content-Type: .rdata:10012D64 00000008 C chunked .rdata:10012D6C 00000005 C ocsp .rdata:10012D74 00000015 C SOFTWARE\\AppDataLow\\ .rdata:10012D8C 00000006 C \\Vars .rdata:10012D94 0000000A C \\\\.\\pipe\\ .rdata:10012DA0 0000000C C \\Microsoft\\ .rdata:10012DAC 00000010 C S:(ML;;NW;;;LW) .rdata:10012DC0 00000043 C D:(D;OICI;GA;;;BG)(D;OICI;GA;;;AN)(A;OICI;GA;;;AU)(A;OICI;GA;;;BA) .rdata:10012E10 00000042 C Content-Disposition: form-data; name=\"upload_file\"; filename=\"%s\" .rdata:10012E58 00000048 C Content-Disposition: form-data; name=\"upload_file\"; filename=\"%.4u.%lu\" .rdata:10012EA0 00000027 C --------------------------%04x%04x%04x .rdata:10012EC8 0000002F C Content-Type: multipart/form-data; boundary=%s .rdata:10012EF8 0000000B C \r\n--%s--\r\n .rdata:10012F04 00000027 C Content-Type: application/octet-stream .rdata:10012F2C 00000011 C --%s\r\n%s\r\n%s\r\n\r\n .rdata:10012F40 0000000F C IsWow64Process .rdata:10012F50 00000009 C kernel32 .rdata:10012F5C 00000007 C UNKNOW .rdata:10012F64 00000021 C ZwWow64QueryInformationProcess64 .rdata:10012F88 0000000A C ntdll.dll .rdata:10012F94 00000005 C .dll .rdata:10012F9C 0000000D C LoadLibraryA .rdata:10012FAC 0000001B C ZwWow64ReadVirtualMemory64 .rdata:10012FC8 00000013 C ZwGetContextThread .rdata:10012FDC 00000013 C ZwSetContextThread .rdata:10012FF0 00000005 C open .rdata:10012FF8 0000001D C %08X-%04X-%04X-%04X-%08X%04X .rdata:10013018 0000000B C kernelbase .rdata:10013024 00000006 C ntdll .rdata:1001302C 00000007 C %s=%s& .rdata:10013039 00000040 C BCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/ .rdata:10013080 00000051 C |$$$}rstuvwxyz{$$$$$$$>?@ABCDEFGHIJKLMNOPQRSTUVW$$$$$$XYZ[\\]^_`abcdefghijklmnopq .rdata:100130D4 00000012 C SetWindowsHookExW .rdata:100130E8 00000012 C SetWindowsHookExA .rdata:100130FC 0000000B C user32.dll .rdata:1001313C 00000011 C SetThreadDesktop .rdata:10013150 00000011 C TranslateMessage .rdata:10013164 0000001A C CreateDialogIndirectParam .rdata:10013180 00000013 C CreateDialogParamW .rdata:10013194 00000013 C CreateDialogParamA .rdata:100131A8 00000017 C DialogBoxIndirectParam .rdata:100131C0 00000010 C DialogBoxParamW .rdata:100131D0 00000010 C DialogBoxParamA .rdata:100131E0 00000010 C CreateWindowExW .rdata:100131F0 00000010 C CreateWindowExA .rdata:10013200 0000000E C CreateWindowW .rdata:10013210 0000000E C CreateWindowA .rdata:10013616 00000013 C GetMappedFileNameA .rdata:1001362C 00000014 C DeleteUrlCacheEntry .rdata:10013642 00000018 C FindFirstUrlCacheEntryA .rdata:1001365C 00000017 C FindNextUrlCacheEntryA .rdata:10013676 00000012 C FindCloseUrlCache .rdata:1001368A 0000000F C HttpQueryInfoA .rdata:1001369C 00000011 C InternetConnectA .rdata:100136B0 0000001B C InternetQueryDataAvailable .rdata:100136CE 00000014 C InternetReadFileExA .rdata:100136E4 00000011 C InternetReadFile .rdata:100136F8 00000011 C InternetConnectW .rdata:1001370C 00000011 C HttpSendRequestW .rdata:10013720 00000017 C HttpAddRequestHeadersW .rdata:1001373A 0000000F C HttpQueryInfoW .rdata:1001374C 00000014 C InternetReadFileExW .rdata:10013762 00000017 C HttpAddRequestHeadersA .rdata:1001377C 0000001A C InternetSetStatusCallback .rdata:10013798 00000011 C HttpSendRequestA .rdata:100137AC 00000015 C InternetQueryOptionA .rdata:100137C4 00000013 C InternetSetOptionA .rdata:100137DA 00000011 C HttpOpenRequestA .rdata:100137EE 0000000E C InternetOpenA .rdata:100137FE 00000014 C InternetCloseHandle .rdata:10013814 00000009 C StrRChrA .rdata:10013820 00000008 C StrChrW .rdata:1001382A 0000000A C StrToIntA .rdata:10013836 00000008 C StrChrA .rdata:10013840 00000009 C StrTrimA .rdata:1001384C 00000009 C StrStrIA .rdata:10013858 00000009 C StrRChrW .rdata:10013864 00000008 C StrStrA .rdata:1001386E 00000009 C StrCmpNA .rdata:1001387A 0000000C C StrToIntExA .rdata:10013888 00000008 C StrDupA .rdata:10013892 00000016 C GdipSaveImageToStream .rdata:100138AA 00000019 C GdipGetImageEncodersSize .rdata:100138C6 00000011 C GdipDisposeImage .rdata:100138DA 0000001C C GdipCreateBitmapFromHBITMAP .rdata:100138F8 00000015 C GdipGetImageEncoders .rdata:10013910 0000000F C GdiplusStartup .rdata:10013922 00000008 C PR_Poll .rdata:1001392C 0000000C C PR_GetError .rdata:1001393A 00000008 C PR_Read .rdata:10013944 00000009 C PR_Write .rdata:10013950 0000000C C PR_SetError .rdata:1001395E 00000009 C PR_Close .rdata:1001396A 0000000F C WSACreateEvent .rdata:1001397C 0000000F C WSAEventSelect .rdata:1001398E 00000015 C WSAEnumNetworkEvents .rdata:100139A6 00000008 C WSASend .rdata:100139B0 00000008 C WSARecv .rdata:100139BA 0000000C C WSASetEvent .rdata:100139C8 0000000E C WSACloseEvent .rdata:100139D8 00000015 C CertOpenSystemStoreW .rdata:100139F0 0000000F C CertCloseStore .rdata:10013A02 0000001C C CertEnumCertificatesInStore .rdata:10013A20 00000015 C PFXExportCertStoreEx .rdata:10013A38 0000000E C ExitWindowsEx .rdata:10013A48 0000000A C wsprintfA .rdata:10013A54 00000011 C GetDesktopWindow .rdata:10013A68 00000014 C GetForegroundWindow .rdata:10013A7E 0000000C C GetWindowDC .rdata:10013A8C 0000000E C GetWindowRect .rdata:10013A9C 0000000F C GetShellWindow .rdata:10013AAE 00000019 C GetWindowThreadProcessId .rdata:10013ACA 00000017 C CreateCompatibleBitmap .rdata:10013AE4 00000013 C CreateCompatibleDC .rdata:10013AFA 0000000D C SelectObject .rdata:10013B0A 0000000D C DeleteObject .rdata:10013B1A 00000009 C DeleteDC .rdata:10013B26 00000007 C BitBlt .rdata:10013B30 00000010 C CryptGetUserKey .rdata:10013B42 0000000F C RegSetValueExA .rdata:10013B54 0000000E C RegCreateKeyA .rdata:10013B64 0000000C C RegCloseKey .rdata:10013B72 00000011 C RegQueryValueExA .rdata:10013B86 00000018 C RegNotifyChangeKeyValue .rdata:10013BA0 0000000C C RegOpenKeyA .rdata:10013BAE 0000000E C RegEnumValueA .rdata:10013BBE 00000011 C SHGetFolderPathW .rdata:10013BD2 00000011 C SHGetFolderPathA .rdata:10013BE6 0000000D C CoCreateGuid .rdata:10013BF6 00000016 C CreateStreamOnHGlobal .rdata:10013C0E 00000015 C GetHGlobalFromStream .rdata:10013C26 00000013 C EnumProcessModules .rdata:10013C3C 00000015 C GetModuleFileNameExW .rdata:10013C54 0000000C C ToUnicodeEx .rdata:10013C62 00000014 C UnhookWindowsHookEx .rdata:10013C78 00000012 C SetWindowsHookExA .rdata:10013C8C 0000000C C GetAncestor .rdata:10013C9A 00000012 C GetKeyboardLayout .rdata:10013CAE 00000011 C GetKeyboardState .rdata:10013CC2 0000000F C CallNextHookEx .rdata:10013CD4 0000000F C GetWindowTextW .rdata:10013CE6 0000000A C wsprintfW .rdata:10013CF2 00000015 C CreateProcessAsUserA .rdata:10013D0A 00000015 C CreateProcessAsUserW .rdata:10013D22 00000035 C ConvertStringSecurityDescriptorToSecurityDescriptorA .rdata:10013D5A 0000000E C ShellExecuteA .rdata:100141DE 00000007 C memset .rdata:100141E8 00000013 C RtlAdjustPrivilege .rdata:100141FE 00000007 C memcpy .rdata:10014208 00000007 C wcscpy .rdata:10014212 00000009 C mbstowcs .rdata:1001421E 00000009 C wcstombs .rdata:1001422A 00000007 C strcpy .rdata:10014234 00000008 C _strupr .rdata:1001423E 00000007 C strstr .rdata:10014246 0000000A C ntdll.dll .rdata:10014252 0000000C C CreateFileA .rdata:10014260 00000009 C lstrlenA .rdata:1001426C 0000000A C HeapAlloc .rdata:10014278 00000009 C HeapFree .rdata:10014284 0000000A C WriteFile .rdata:10014290 00000009 C lstrcatA .rdata:1001429C 00000011 C CreateDirectoryA .rdata:100142B0 0000000D C GetLastError .rdata:100142C0 00000011 C RemoveDirectoryA .rdata:100142D4 0000000D C LoadLibraryA .rdata:100142E4 0000000C C CloseHandle .rdata:100142F2 0000000C C DeleteFileA .rdata:10014300 00000009 C lstrcpyA .rdata:1001430C 0000000C C HeapReAlloc .rdata:1001431A 00000015 C InterlockedIncrement .rdata:10014332 00000015 C InterlockedDecrement .rdata:1001434A 00000009 C SetEvent .rdata:10014356 0000000D C GetTickCount .rdata:10014366 0000000C C HeapDestroy .rdata:10014374 0000000B C HeapCreate .rdata:10014382 00000013 C GetCurrentThreadId .rdata:10014398 00000011 C CreateDirectoryW .rdata:100143AC 00000015 C GetWindowsDirectoryA .rdata:100143C4 00000006 C Sleep .rdata:100143CC 0000000A C CopyFileW .rdata:100143D8 00000009 C lstrlenW .rdata:100143E4 00000011 C GetModuleHandleA .rdata:100143F8 00000009 C lstrcatW .rdata:10014404 0000000C C DeleteFileW .rdata:10014412 0000000D C GetTempPathA .rdata:10014422 0000000E C MapViewOfFile .rdata:10014432 00000010 C UnmapViewOfFile .rdata:10014444 00000011 C SetWaitableTimer .rdata:10014458 00000012 C GetCurrentProcess .rdata:1001446C 0000000D C CreateEventA .rdata:1001447C 00000015 C LeaveCriticalSection .rdata:10014494 0000000A C lstrcmpiA .rdata:100144A0 00000015 C EnterCriticalSection .rdata:100144B8 00000017 C WaitForMultipleObjects .rdata:100144D2 0000000D C CreateMutexA .rdata:100144E2 0000000D C ReleaseMutex .rdata:100144F2 00000015 C CreateWaitableTimerA .rdata:1001450A 0000000F C UnregisterWait .rdata:1001451C 0000000F C LoadLibraryExW .rdata:1001452E 00000014 C WaitForSingleObject .rdata:10014544 0000000D C SetLastError .rdata:10014554 0000001C C RegisterWaitForSingleObject .rdata:10014572 0000000C C GetFileSize .rdata:10014580 0000000F C FindFirstFileW .rdata:10014592 0000000E C GetDriveTypeW .rdata:100145A2 00000018 C GetLogicalDriveStringsW .rdata:100145BC 0000001A C InitializeCriticalSection .rdata:100145D8 00000013 C GetFileAttributesA .rdata:100145EE 00000013 C GetFileAttributesW .rdata:10014604 0000000F C CreateProcessA .rdata:10014616 0000000C C CreateFileW .rdata:10014624 0000000F C FindFirstFileA .rdata:10014636 00000011 C GetTempFileNameA .rdata:1001464A 0000000A C FindClose .rdata:10014656 00000013 C CreateFileMappingA .rdata:1001466C 0000000E C FindNextFileA .rdata:1001467C 0000000E C FindNextFileW .rdata:1001468C 00000016 C DeleteCriticalSection .rdata:100146A4 00000011 C OpenFileMappingA .rdata:100146B8 0000000D C CreateThread .rdata:100146C8 0000000A C lstrcpynA .rdata:100146D4 00000009 C lstrcmpA .rdata:100146E0 0000000B C GlobalLock .rdata:100146EE 0000000D C GlobalUnlock .rdata:100146FE 0000000E C Thread32First .rdata:1001470E 0000000D C Thread32Next .rdata:1001471E 0000000F C GetProcAddress .rdata:10014730 0000000D C QueueUserAPC .rdata:10014740 0000000B C OpenThread .rdata:1001474E 00000019 C CreateToolhelp32Snapshot .rdata:1001476A 0000000F C CallNamedPipeA .rdata:1001477C 0000000F C WaitNamedPipeA .rdata:1001478E 00000011 C ConnectNamedPipe .rdata:100147A2 00000009 C ReadFile .rdata:100147AE 00000014 C GetOverlappedResult .rdata:100147C4 00000014 C DisconnectNamedPipe .rdata:100147DA 00000011 C FlushFileBuffers .rdata:100147EE 00000011 C CreateNamedPipeA .rdata:10014802 00000009 C CancelIo .rdata:1001480E 00000014 C GetCurrentProcessId .rdata:10014824 0000000E C GetSystemTime .rdata:10014834 00000009 C lstrcmpW .rdata:10014840 00000008 C SleepEx .rdata:1001484A 0000000B C ResetEvent .rdata:10014858 0000000B C LocalAlloc .rdata:10014866 0000000A C LocalFree .rdata:10014872 0000000C C FreeLibrary .rdata:10014880 00000014 C InterlockedExchange .rdata:10014896 0000000F C RaiseException .rdata:100148A6 0000000D C KERNEL32.dll .rdata:100148B6 00000016 C RtlNtStatusToDosError .rdata:100148CE 00000013 C NtMapViewOfSection .rdata:100148E4 00000015 C NtUnmapViewOfSection .rdata:100148FC 00000008 C ZwClose .rdata:10014906 00000010 C NtCreateSection .rdata:10014918 00000013 C NtSetContextThread .rdata:1001492E 0000001A C ZwQueryInformationProcess .rdata:1001494A 00000013 C NtGetContextThread .rdata:10014960 00000013 C ZwOpenProcessToken .rdata:10014976 0000000E C ZwOpenProcess .rdata:10014986 00000018 C ZwQueryInformationToken .rdata:100149A0 00000008 C sprintf .rdata:100149AA 00000013 C WriteProcessMemory .rdata:100149C0 00000011 C VirtualProtectEx .rdata:100149D4 00000012 C ReadProcessMemory .rdata:100149E8 0000000E C SuspendThread .rdata:100149F8 0000000D C ResumeThread .rdata:10014A08 0000000F C SwitchToThread .rdata:10014A1A 00000011 C GetThreadContext .rdata:10014A2E 0000000F C CreateProcessW .rdata:10014A40 00000011 C GetComputerNameA .rdata:10014A54 0000000B C GetVersion .rdata:10014A62 0000000F C SetFilePointer .rdata:10014A74 0000000C C VirtualFree .rdata:10014A82 00000013 C CreateRemoteThread .rdata:10014A98 0000000C C OpenProcess .rdata:10014AA6 0000000D C VirtualAlloc .rdata:10014AB6 0000000F C VirtualAllocEx .rdata:10014AC8 00000013 C GetModuleFileNameA .rdata:10014ADE 0000000F C VirtualProtect .rdata:10014AF0 00000012 C QueueUserWorkItem .rdata:10014B04 00000009 C _aulldiv .rdata:10014B10 00000008 C _allmul .rdata:10014B1A 0000000A C RtlUnwind .rdata:10014B26 00000015 C NtQueryVirtualMemory .rdata:10014B72 0000000B C client.dll .rdata:10014B7D 00000014 C CreateProcessNotify .data:1001518B 0000000D C SUVWATAUAVAWH .data:100151AF 00000005 C Hcz