Analysis Date2014-12-19 01:59:35
MD500f58cf9f994c9d6e158d45dbc0ac7b0
SHA161d255a3c0bb5cd0fde784adb2c7ef5015eadc6f

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: d92324c5bb7cd1d8cf2ebe3867ae1ffe sha1: fd93db4cde6b2e90e5b881d661744cec21dd1102 size: 90624
Section.tls md5: 13efee96a8c843a3755538d87267300a sha1: 53b7a5f26f2dd9b496741defd81c640a910bc2e0 size: 1024
Section.data md5: 632a97e17046db402f4814f2a60c988a sha1: e302a62e4e418e28d2d531d78cd00ba382fee41f size: 84480
Section.reloc md5: f94d9479c0cdb338923f85f6c443b79b sha1: a3f7688c5187596f7f2cb0cecf6a0ee2c2cf5f61 size: 1024
Timestamp2005-11-18 06:29:46
PEhash460f52754313aec4e419f6aba9acb33172989790
IMPhashf53b1098146a057895437016ea9c3def
AV360 SafeGen:Trojan.Heur.KS.2
AVAd-AwareGen:Trojan.Heur.KS.2
AVAlwil (avast)Cybota [Trj]
AVArcabit (arcavir)Gen:Trojan.Heur.KS.2
AVAuthentiumW32/Goolbot.J.gen!Eldorado
AVAvira (antivir)BDS/Cycbot.BC
AVBullGuardGen:Trojan.Heur.KS.2
AVCA (E-Trust Ino)Win32/FakeAlert.J!generic
AVCAT (quickheal)Backdoor.Cycbot.B
AVClamAVTrojan.Gbot-1170
AVDr. WebTrojan.DownLoader4.5038
AVEmsisoftGen:Trojan.Heur.KS.2
AVEset (nod32)Win32/Kryptik.QFW
AVFortinetW32/Kryptik.POT!tr
AVFrisk (f-prot)W32/Goolbot.J.gen!Eldorado
AVF-SecureGen:Trojan.Heur.KS.2
AVGrisoft (avg)Win32/Heri
AVIkarusBackdoor.Win32.Cycbot
AVK7Backdoor ( 003210941 )
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesBackdoor.Bot
AVMcafeeBackDoor-EXI.gen.k
AVMicrosoft Security EssentialsBackdoor:Win32/Cycbot.G
AVMicroWorld (escan)Gen:Trojan.Heur.KS.2
AVRisingno_virus
AVSophosMal/FakeAV-IS
AVSymantecBackdoor.Cycbot!gen4
AVTrend MicroBKDR_CYCBOT.SME3
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell ➝
explorer.exe,C:\Documents and Settings\Administrator\Application Data\dwm.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\dwm.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Application Data\75DE.FFC
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft
Creates Mutex{45BCA615-C82A-4152-8857-BCC626AE4C8D}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{1ACD3490-8843-47EB-867B-EDDDD7FA37FD}
Creates Mutex{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex{0ECE180F-6E9E-4FA6-A154-6876D9DB8906}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{B16C7E24-B3B8-4962-BF5E-4B33FD2DFE78}
Creates Mutex{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutex{6988405C-71C3-427c-975A-0398706E79EE}
Creates Mutex{35BCA615-C82A-4152-8857-BCC626AE4C8D}
Winsock DNSresetsystems-1.com
Winsock DNS127.0.0.1
Winsock DNShealthylifenow.com

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp

Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft

Creates ProcessC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe

Network Details:

DNShealthylifenow.com
Type: A
208.109.208.147
DNSzonedg.com
Type: A
141.8.225.80
DNSzonedg.com
Type: A
141.8.225.80
DNSresetsystems-1.com
Type: A
HTTP GEThttp://healthylifenow.com/templates/7349/images/header_logo.jpg?v48=2&tq=gHZutDyMv5rJejbia9nrmsl6giWz%2BJZbVyA%3D
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfxkX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh8sG%2BcoJuX%2BSNxlKv975Xlm5G
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfxkX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh88BSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfxkX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh%2F82%2BcoJtX%2BSNxL5ygm1C4lKv975Xlm5G
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Flows TCP192.168.1.1:1031 ➝ 208.109.208.147:80
Flows TCP192.168.1.1:1033 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1034 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1035 ➝ 141.8.225.80:80

Raw Pcap
0x00000000 (00000)   47455420 2f74656d 706c6174 65732f37   GET /templates/7
0x00000010 (00016)   3334392f 696d6167 65732f68 65616465   349/images/heade
0x00000020 (00032)   725f6c6f 676f2e6a 70673f76 34383d32   r_logo.jpg?v48=2
0x00000030 (00048)   2674713d 67485a75 7444794d 7635724a   &tq=gHZutDyMv5rJ
0x00000040 (00064)   656a6269 61396e72 6d736c36 6769577a   ejbia9nrmsl6giWz
0x00000050 (00080)   2532424a 5a625679 41253344 20485454   %2BJZbVyA%3D HTT
0x00000060 (00096)   502f312e 300d0a43 6f6e6e65 6374696f   P/1.0..Connectio
0x00000070 (00112)   6e3a2063 6c6f7365 0d0a486f 73743a20   n: close..Host: 
0x00000080 (00128)   6865616c 7468796c 6966656e 6f772e63   healthylifenow.c
0x00000090 (00144)   6f6d0d0a 41636365 70743a20 2a2f2a0d   om..Accept: */*.
0x000000a0 (00160)   0a557365 722d4167 656e743a 206d6f7a   .User-Agent: moz
0x000000b0 (00176)   696c6c61 2f322e30 0d0a0d0a            illa/2.0....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   786b5825 32425039 68253242 49307344   xkX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a683873 47253242 636f4a75   OhLgjh8sG%2BcoJu
0x000000c0 (00192)   58253242 534e786c 4b763937 35586c6d   X%2BSNxlKv975Xlm
0x000000d0 (00208)   35472048 5454502f 312e310d 0a486f73   5G HTTP/1.1..Hos
0x000000e0 (00224)   743a207a 6f6e6564 672e636f 6d0d0a55   t: zonedg.com..U
0x000000f0 (00240)   7365722d 4167656e 743a204d 6f7a696c   ser-Agent: Mozil
0x00000100 (00256)   6c612f34 2e302028 636f6d70 61746962   la/4.0 (compatib
0x00000110 (00272)   6c653b20 4d534945 20362e30 3b205769   le; MSIE 6.0; Wi
0x00000120 (00288)   6e646f77 73204e54 20352e31 290d0a43   ndows NT 5.1)..C
0x00000130 (00304)   6f6e7465 6e742d4c 656e6774 683a2030   ontent-Length: 0
0x00000140 (00320)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000150 (00336)   6f73650d 0a0d0a                       ose....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   786b5825 32425039 68253242 49307344   xkX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a683838 42537225 32466525   OhLgjh88BSr%2Fe%
0x000000c0 (00192)   32425635 5a755267 25334425 33442048   2BV5ZuRg%3D%3D H
0x000000d0 (00208)   5454502f 312e310d 0a486f73 743a207a   TTP/1.1..Host: z
0x000000e0 (00224)   6f6e6564 672e636f 6d0d0a55 7365722d   onedg.com..User-
0x000000f0 (00240)   4167656e 743a204d 6f7a696c 6c612f34   Agent: Mozilla/4
0x00000100 (00256)   2e302028 636f6d70 61746962 6c653b20   .0 (compatible; 
0x00000110 (00272)   4d534945 20362e30 3b205769 6e646f77   MSIE 6.0; Window
0x00000120 (00288)   73204e54 20352e31 290d0a43 6f6e7465   s NT 5.1)..Conte
0x00000130 (00304)   6e742d4c 656e6774 683a2030 0d0a436f   nt-Length: 0..Co
0x00000140 (00320)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x00000150 (00336)   0a0d0a3e 0a20203c 6872202f 3e0a2020   ...>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   786b5825 32425039 68253242 49307344   xkX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a682532 46383225 3242636f   OhLgjh%2F82%2Bco
0x000000c0 (00192)   4a745825 3242534e 784c3579 676d3143   JtX%2BSNxL5ygm1C
0x000000d0 (00208)   346c4b76 39373558 6c6d3547 20485454   4lKv975Xlm5G HTT
0x000000e0 (00224)   502f312e 310d0a48 6f73743a 207a6f6e   P/1.1..Host: zon
0x000000f0 (00240)   6564672e 636f6d0d 0a557365 722d4167   edg.com..User-Ag
0x00000100 (00256)   656e743a 204d6f7a 696c6c61 2f342e30   ent: Mozilla/4.0
0x00000110 (00272)   2028636f 6d706174 69626c65 3b204d53    (compatible; MS
0x00000120 (00288)   49452036 2e303b20 57696e64 6f777320   IE 6.0; Windows 
0x00000130 (00304)   4e542035 2e31290d 0a436f6e 74656e74   NT 5.1)..Content
0x00000140 (00320)   2d4c656e 6774683a 20300d0a 436f6e6e   -Length: 0..Conn
0x00000150 (00336)   65637469 6f6e3a20 636c6f73 650d0a0d   ection: close...
0x00000160 (00352)   0a                                    .


Strings
...
.
?
qC
_
.
I%1
..
080904b0
1484
2.0.0.3
FileVersion
&No Exit  Shift+N
PrivateBuild
ProductVersion
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
&Yes
\=&]%)
00A5g?
0D 0ct
0hBh$T!
0h>&cl
#0hhrh
0h("hV
,0hl(:+j
0ht#OH
0hwgAc
0q!1;4
<}`0"U
1Bh3,9
1D]F{1Rq
!1?,.m
(1Yjph
2h@hH<
2h hWg
#2hO4h
2hq?JW
?2/in41
%%'2O 
2R $\n4
30hdEy?	
3{mI7rh
3	olRk
3Qph"h
3rI,s[+O
3:* Sk:
3&V2h|
4&?>%(
4'|)5Q-1U
4.F>jW
4Q)Bcd
4SC,F*
5ggv}\
|=#5.I
5lWLAF
5m!f@<
(5PhmU
5<!x}#4
(6CD"hy
6EjVyW
6J7y52
6z8f:{U
78?o@h
7bGSFR
\7.*DW
7W)rhL
8c hph
8cm%t	
8rh}XW
9!9a`+IV
9FpfVXe
9xo}z{
]9;YIu
]A2h)-
A=[2h%t
A3;L@h
,a3WkD
a4-.7z?
A4LGz*
abhy76xQ
aH`h0h
Ai{"hZ4 h
AlphaBlend
Am(}%S
aqVK{t6
/AsM&?BB?
Au	+A[8
aY-:"h
>:Azes
AzY5jy
BA8$ n
B<	^b`
bCRn27(X9
bh	0h)
Bh2h hD
Bh(2hxJ
;bh72h(o
bh9Q2h
bhee7t
Bh!o`h
BhT}@h
bh^]zk4X
bi%X:P2:
b!O>@A
`.b'.p
by7=OeO
C0h9M|}
	c?/2hN
:C2hYO
c#~~.&6FR
c9f\0M1
cbOo&>F
/ C-GV
["c(+L
CoGetMalloc
CoTaskMemFree
CreateFileW
*cyl,BND
d2hn0h
D4'i34u'P
'd;8>q3
*D(/;A~
@.data
=d%BhK#
D~cU8ux
D?ftN#
DlbhG`hv,q;xq
ds7rh`hJBh
 #D]~u
@}Ec{}
Ehow|,
EnumResourceNamesA
es+T`h)mD
?Ex0h0hH
ExitProcess
EZy}<6
 <|.f%
F*60h[M
,f=Bhe
# ,fdP
ff_]|	/
fGvOX4
FindFirstFileW
FindResourceExW
FlushInstructionCache
Fw#:A??
&F{Zb)
f,ZwRh
g=bhzSm
GetCalendarInfoA
GetCurrentDirectoryW
GetLocalTime
GetPriorityClass
GetProcessAffinityMask
~G=g1z
gHf"VX
[-Gn`h
GN=:JD
gphJ>+
GQm'NTV
,G=RyA
h0hX71
h1E	&&
%`h2h2hS
 h2hdSPhx
h2hWc@h
h3m,Yph
h7tGiX5]
H9L!(^
H9{;rh
h;}agf
hAphph
?`h,Bh
hBh&;#
hbh2hc"h69xQ
h]Bh	E
hBh hF
[ hbhk
hbhPhBh#
hbhtH(W
hBh]TO
hBhWphcJ5
hC]BhQ{
hC"hBhf
hC`hn?:*5=
hdRhK.~
"hds0h0h
H eu#k|uq
 h*Ewph
*:/hg>k>
`h''"h
hh&aA9
@h@hA/ph4(Y
h"haRh
h>`hEQyc
h+hGDI3
hh`h$h
h@h.I[
 h`hM.
h#@h#O
@h hph[
h+"hph
%h"hphE
@h@hrhYT
h"hT}3
h@hTRh;
h?@h%w
h'`hZgd: h
h|I`hk
hi"h\t
hIwmVm
hiX[	-
h)kv<j"hkN
hlrhRh
! hM2h
h<M9Rh|
H^mbJQtX
hM h?l
hmk_{f
`hN\2h
)!. hPh
hPh/}{
 hPhA#
h&phHX
 h{PhW
hq*DFg
hQF`h_
h!qhm[]
hQw he
(%"hrh
?@h?Rh=
hrh0hUX
hRhbh4
h'-RhF
hrh\m$
hrhtIi
hSU"h)J=
h#s<y(
H]tB-R7T
htW"h}
hu2hCj
HU*#Rh
hUwqbh>
h'v@hl
h(Wc33WA
 hWkMJ
h)X# h
h.*x*Rh
<HxSLk
hXwIq~
hYC%"h
$I2h7~
i@^?*7{
I8^xMN
"/icIk`
IeAaY	!
'IglKM
[#I|k*
;I\~k@h
inJ1yQ
i>.Rh<
i(sGE h
`%}iTD
IU5"hFM
]]j0h{>H
=^J(!3
+#j5J8
jBEYFL
	JdokU
J#e#7+
j+) hH	
j~Phu+
#jQiJ;"h
J|rhY#
 Jsf|&@&
K[[`A{
KERNEL32.dll
K|lIqE
kO7v\%
Kon;<B
KQ-s~i
L5[X`L9
<le$}R
L?@hN,
L,"hO=
$;Lk>M
LoadResource
LockResource
LPhH7{
lP[k8}
lUliPhzRh
)	$LY9T
LYE1Ht
=$m3/'S
#m!5GXTnf
MrhV.3
MSIMG32.dll
{[MT`h
mTz{ h
M"?.?w'
m'wNZ	VSQA
mxy8Hj
!:{@~N
N5bh	M
n5->&O
N7ns2h]a"h
NaI^BhAFq
n?cclaK
\nG5H1
Nrh0h h{
NWCRhZiu^RhH
o0hj@h
OAn	h.
Obh.i%5
 OF@z,
oG;]TV*
ole32.dll
omj5&I5
O^(PhRh2h"h
O~[qEO
{orh3v!
{Osjx}y
Ow|%\WM
oY({EH
PathAppendW
PathCombineW
PathFileExistsW
PathRemoveFileSpecW
P^Fh7\
ph9phw
\P^h{B
PhBhI{
~ph{c~
PhDBhl9;
]Ph	@h
Phl+de
(phphx
ph+q_Y,
<	ph,rhG
Phrhl6
Ph]z\:
pi=tbS
PO2mP=
PPPPPP
ProgIDFromCLSID
Q{_aeL+0
QgyZ?!
q `JY=
Q{oDt>
Qt(wI>
"qu7*U
R0(Z|U
.reloc
Rf$JVc
>Rh4$@hNq
&Rhg4rh0h
Rhh@hy
rhl'h1s]
Rh>oS$
|RhTyD
rhz|;4Je
-RI{vmVZ=
RJ?NBz
)r(`.M
rM^RC,{
RvXF9qUV?
"R!y\QY
s4?o"6
S6%_nL
(S7XI2[N?Q
SEMMPh
SetCurrentDirectoryW
SetFilePointerEx
SHGetValueW
SHLWAPI.dll
(SJm) hD&h
(sO`-P;
S{qJ%w/0h
SQnT}u|bh
sRhjVy#
StringFromCLSID
:{SV;<=
S;Wfy&E
(()<%,T
T.6Bw4X
t=88b[)
T}gk5x
?T h_2h
!This program cannot be run in DOS mode.
Tk.$!3
t-O"h	
,tq[![
TransparentBlt
Ts:Ld@`
t[w.H-
tX33Q^
U7	f2hM
U.7\VZ
@)ug?Z1
&U/>[/m`	
U$mBhK<c
u>)poV
u{`R{2C
uu^/Rh
\u{X	r
]-V0do
]V]5D	
v>6|rhX
)V##bh
Vciw|L}
(-%V@h
vj:at.
<vMF h
VqBhbhh
vY#Kh 
VZ~=WN)
w3V hE
,~>Wbhd
WEPhGRh
^wgF@|
&W`h<@U
wXfBh:
wz4%wO
X6Rhph
':X7?Y
XARhc]g'
X}Kg:6
X>l><,
XRh=;2h
%XU469
Xun#@9
XYP8KE
&Y0hRh
Y.94Ve
&ya9ov
y]]a hG/
Yb;} ?B
Y<fCYoN
y,i#Kr
y}Kxw!
y?mD!~3
 y.Mq2
y~%}rA{R
!]yYo.
?>^Z*4
_Z4;+w=
;zC60hph
@z?f]yYx
z h]Lm
Z~j h]
,.znvtQ
^!Z%PM0o
zrhaoY
$Zw>Yu(