Analysis | #totalhash

Analysis Date	2014-02-19 22:27:13
MD5	7f2b6e45ccd1add5f25b7cf28a8121d4
SHA1	07acdba82fa1e71412ae5efdcda8460cc9e5294d

Static Details:

File type	PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section	.text md5: ac5e3d744071c22733b319fa2d9c3a27 sha1: c12754f2007c6ff3c6a869a11c44646222b82c9c size: 368640
Section	.data md5: 620f0b67a91f7f74151bc5be745b7110 sha1: 1ceaf73df40e531df3bfb26b4fb7cd95fb7bff1d size: 4096
Section	.rsrc md5: 9f814ac591c8b6fb5f82769ed9f1121f sha1: b453a2e85a7ae61840f1284dd55af2a95064600a size: 196608
Timestamp	2010-03-12 09:34:57
Version	InternalName: hintgameclient FileVersion: 1.00 CompanyName: hintsoft ProductName: 就爱小游戏 ProductVersion: 1.00 FileDescription: 就爱小游戏 OriginalFilename: hintgameclient.exe
PEhash	f3ed4c1a90939e2e2d8169b513a826f2d89c4844
IMPhash	29d8c68138d65f9b5e15b47d97b66592
AV	clamav	W32.Alman-2
AV	mcafee	W32/Almanahe.c
AV	msse	Virus:Win32/Almanahe.B
AV	avira	W32/Almanahe.B
AV	avg	Win32/Alman

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Registry	HKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝ NULL
Registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝ 1
Creates File	C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates File	C:\WINDOWS\system32\drivers\IsDrv118.sys
Creates File	\Device\Afd\AsyncConnectHlp
Creates File	C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates File	C:\Documents and Settings\Administrator\Local Settings\Temp\JET296C.tmp
Creates File	C:\flash.mdb
Creates File	C:\WINDOWS\linkinfo.dll
Creates File	C:\Documents and Settings\Administrator\Cookies\index.dat
Creates File	PIPE\lsarpc
Creates File	\Device\Afd\Endpoint
Deletes File	C:\WINDOWS\system32\drivers\IsDrv118.sys
Creates Mutex	c:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex	WininetConnectionMutex
Creates Mutex	c:!documents and settings!administrator!cookies!
Creates Mutex	c:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNS	www.9iflash.com

Process
↳ C:\WINDOWS\Explorer.EXE

Registry	HKEY_CURRENT_USER\SessionInformation\ProgramCount ➝ 1
Creates File	PIPE\SfcApi
Creates File	C:\temp\monitor.exe
Creates File	C:\WINDOWS\system32\drivers\nvmini.sys
Creates File	C:\temp\files\malware.exe
Creates File	DL5CProc
Creates Mutex	__CORE_DL5__
Creates Mutex	PNP#DMUTEX#1#DL5
Creates Mutex	__DL5_INF__
Creates Service	nvmini - system32\drivers\nvmini.sys

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\System32\svchost.exe

Registry	HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝ NULL
Creates File	PIPE\lsarpc
Creates File	C:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG
Creates File	C:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1072

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Process
↳ C:\WINDOWS\System32\alg.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Network Details:

DNS	www.9iflash.com Type: A 64.74.223.44
HTTP GET	http://www.9iflash.com/ User-Agent: ..........
HTTP GET	http://www.9iflash.com/client/getsysinfo.php User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP	192.168.1.1:1031 ➝ 64.74.223.44:80
Flows TCP	192.168.1.1:1033 ➝ 64.74.223.44:80

Raw Pcap

0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   55736572 2d416765 6e743a20 becdb0ae   User-Agent: ....
0x00000020 (00032)   d0a1d3ce cfb70d0a 486f7374 3a207777   ........Host: ww
0x00000030 (00048)   772e3969 666c6173 682e636f 6d0d0a43   w.9iflash.com..C
0x00000040 (00064)   6f6e6e65 6374696f 6e3a204b 6565702d   onnection: Keep-
0x00000050 (00080)   416c6976 650d0a43 61636865 2d436f6e   Alive..Cache-Con
0x00000060 (00096)   74726f6c 3a206e6f 2d636163 68650d0a   trol: no-cache..
0x00000070 (00112)   0d0a                                  ..

0x00000000 (00000)   47455420 2f636c69 656e742f 67657473   GET /client/gets
0x00000010 (00016)   7973696e 666f2e70 68702048 5454502f   ysinfo.php HTTP/
0x00000020 (00032)   312e310d 0a416363 6570743a 202a2f2a   1.1..Accept: */*
0x00000030 (00048)   0d0a4163 63657074 2d456e63 6f64696e   ..Accept-Encodin
0x00000040 (00064)   673a2067 7a69702c 20646566 6c617465   g: gzip, deflate
0x00000050 (00080)   0d0a5573 65722d41 67656e74 3a204d6f   ..User-Agent: Mo
0x00000060 (00096)   7a696c6c 612f342e 30202863 6f6d7061   zilla/4.0 (compa
0x00000070 (00112)   7469626c 653b204d 53494520 362e303b   tible; MSIE 6.0;
0x00000080 (00128)   2057696e 646f7773 204e5420 352e313b    Windows NT 5.1;
0x00000090 (00144)   20535631 3b202e4e 45542043 4c522032    SV1; .NET CLR 2
0x000000a0 (00160)   2e302e35 30373237 290d0a48 6f73743a   .0.50727)..Host:
0x000000b0 (00176)   20777777 2e396966 6c617368 2e636f6d    www.9iflash.com
0x000000c0 (00192)   0d0a436f 6e6e6563 74696f6e 3a204b65   ..Connection: Ke
0x000000d0 (00208)   65702d41 6c697665 0d0a0d0a            ep-Alive....

Strings

.
.
.
080404B0
1.00
10005
15270
#(-27;@EJOTY^chmrw|
9iflash
</a>
about:blank
\ad\images\
Adobe Photoshop
Adobe Photoshop CS2
adver
application/x-shockwave-flash
async
<BODY ondragstart="window.event.returnValue=false;" oncontextmenu="window.event.returnValue=false;" >
<BODY ondragstart="window.event.returnValue=false;" oncontextmenu="window.event.returnValue=false;" onselectstart="event.returnValue=false;">
BODY {TEXT-ALIGN: center; MARGIN: 1px; FONT-SIZE: 12px; OVERFLOW: hidden}
')"/><br/>
\ClientUpdate.exe
ClientUpdate.exe
Close
collection
CompanyName
Content Type
#content {width:98%;}
CreateFolder
create table flash(id counter (1,1) PRIMARY KEY NOT NULL ,title varchar(200) null,webflashid Long null,downloadtime time null,collection  Byte null,flashpath varchar(30) null,picpath varchar(30) null,description memo null)
create table sys_parameter(id counter (1,1) PRIMARY KEY NOT NULL ,parametername varchar(20) NOT NULL,parametervalue varchar(30) NOT NULL)
;C:\WINDOWS\
delete * from flash where  id=
delete * from flash where id=
description
</div>
<div align="center"><img src="file:///
</div></body></html>
<div class="xyx4">
<div id="content" align="center" >
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
/downloadad.html
downloadtime
E*\AE:\work\hintgameclient\flash9i.vbp
.exe,0
.exe %1
false
FileDescription
FileExists
filelink
filepath
FileVersion
\flash
\flash\
\flashad
\flashad\images
\flashad\images\
/flashad/rightad.html
\flashad\rightad.html
flashdelid
flashfile
flashfile\DefaultIcon
flashfile\shell
flashfile\shell\open
flashfile\shell\open\command
flashlocalid
\flash.mdb
\flash\notimg.gif
flashobjid
flashpath
flashSave
flashtitle
flashurl
FolderExists
Frame1
Frame2
function PlayFlash(ObjID) {
function ResumeError() {return true;}
gameurlpath
getElementsByTagName
/getsysinfo.php
High
hintgameclient
hintgameclient.exe
hintsoft
<HTML lang=gb2312><HEAD><TITLE>
http://
http://www.9iflash.com
http://www.9iflash.com/client
http://www.9iflash.com/client/ad/rightad.html
http://www.9iflash.com/client/comments.php?flashid=
http://www.9iflash.com/client/download/ClientUpdate.exe
http://www.9iflash.com/client/download/flash.mdb
http://www.9iflash.com/client/download/images/gamememotop.jpg
http://www.9iflash.com/client/getflashinfo.php?flashid=
http://www.9iflash.com/client/images/notimg.gif
http://www.9iflash.com/client/typelist.php?typeid=
http://www.9iflash.com/client/typetop.php?typeid=
\images
\images\gamememotop.jpg
/images/gamememotop.jpg" class="list_t">
/images/rightad.gif" width="100" height="300" /></div>
<img height="75" alt="
insert into sys_parameter(parametername,parametervalue) values('
InternalName
Item
;LANGID=0x0409;CP=1252;COUNTRY=0
/left_tree.html
length
.list_c {BORDER-BOTTOM: #aaccee 1px solid; BORDER-LEFT: #aaccee 1px solid; BORDER-TOP: #aaccee 0px solid; BORDER-RIGHT: #aaccee 1px solid}
.list_t {BORDER-BOTTOM: #aaccee 1px solid; TEXT-ALIGN: center; BORDER-LEFT: #aaccee 0px solid; BORDER-TOP: #aaccee 1px solid; FONT-WEIGHT: bold; COLOR: #FFFFFF; BORDER-RIGHT: #aaccee 0px solid}
Load
location = "flashlocalid:" + ObjID;}
main_close
main_height
main_width
mbmabptebkjcdlgtjmskjwtsdhjbmkmwtrak;
m;C:\WINDOWS;.
memo
Microsoft.XMLDOM
Modem
Modem (Busy)
Name
&nbsp<a href='flashdelid:
 , now())
open
OriginalFilename
&page=1
parametervalue
;Persist Security Info=False
picpath
picurl
ProductName
ProductVersion
Provider=Microsoft.Jet.OLEDB.4.0;Data Source=
Proxy Server
/recommended.html
/rightad.html
rightad_ver
</SCRIPT>
<SCRIPT language=javascript>
<SCRIPT language=javascript>function ResumeError() {return true;} window.onerror = ResumeError;</SCRIPT>
/search.php
select * from flash where collection=0 and downloadtime<DateAdd("d",-
select  * from flash where collection=1 order by downloadtime desc
select max(id) from flash where webflashid=
select parametervalue from sys_parameter where parametername='
select top 100 * from flash order by downloadtime desc
select top 1 * from flash
select top 1 * from flash where id=
select top 1 * from flash where webflashid=
ShowAll
" src="
StringFileInfo
</STYLE>
<STYLE>
<STYLE type=text/css>
.swf
sysupdatever
sysupdate_ver
sysver
<TABLE class=list_c border=0 cellSpacing=0 cellPadding=0 width=100% height=100%><TBODY>
TD { COLOR: #07519a; FONT-SIZE: 12px}
</TD></TR>
</TD></TR></TBODY></TABLE></BODY></HTML>
Text
title
" title="
</TITLE><META content="text/html; charset=gb2312" http-equiv=Content-Type></HEAD>
/toplist.php
Translation
<TR><TD height="26"  background="
<TR><TD vAlign=top>
typelist
update flash set collection=1 where id=
update flash set downloadtime='
update sys_parameter set parametervalue='
validateOnParse
VarFileInfo
VS_VERSION_INFO
webflashid
weburlpath
' where  id=
' where parametername='
" width="100"  onclick="PlayFlash('
\WIN
Window
window.onerror = ResumeError;
Write
.xyx4 {PADDING-RIGHT: 10px; PADDING-LEFT: 10px; FLOAT: left; PADDING-BOTTOM: 0px; WIDTH: 110px; LINE-HEIGHT: 250%; PADDING-TOP: 5px; TEXT-ALIGN: center;FONT-FAMILY: Arial; COLOR: #14316b; FONT-SIZE: 9pt; TEXT-DECORATION: none;CURSOR: hand;}
                            
                                                                                                    
						
04Q'$I'
#0Y ^;g
-1"<16!
2010:02:26 13:49:13
2010:02:26 13:50:05
2010:02:26 13:50:40
22222222
2@|%9s
2jn_\{
2O#35*iS
3-$4i{!
4	DSvx
59sq`Fs
'7GWgw
%	%8%h%
9'*1'B)'P!'^
)9IYiy
	:*\<a
AA?((((
AC 40D
/ACg*F
acspMSFT
_adj_fdiv_m16i
_adj_fdiv_m32
_adj_fdiv_m32i
_adj_fdiv_m64
_adj_fdiv_r
_adj_fdivr_m16i
_adj_fdivr_m32
_adj_fdivr_m32i
_adj_fdivr_m64
_adj_fpatan
_adj_fprem
_adj_fprem1
_adj_fptan
Adobe_CM
Adobe Photoshop CS2 Windows
advapi32.dll
_allmul
altTagTEXT
*AQ"qA
autoGenerated
B/)1	)
{~,,bB
,bfN^HE
bgColorTypeenum
 bK	 |
bottomOutsetlong
boundsObjc
bR}YSy_Y
Btomlong
}^$bwEX
	%bZ*N
'&C3s<(
c85-]`
cellTextIsHTMLbool
cellTextTEXT
cf_l_old
_CIatan
_CIcos
_CIexp
_CIlog
_CIsin
_CIsqrt
_CItan
[CK0lK@
CNetConnect
Connected
ConnectMode
ConnectModeDesc
Copyright (c) 1998 Hewlett-Packard Company
C:\Program Files\Microsoft Visual Studio\VB98\VB6.OLB
CreateDirectoryA
CreateFolder
CRT curv
,C"ut6N
Cwb_Status
C:\WINDOWS\system32\ieframe.oca
C:\WINDOWS\system32\Macromed\Flash\Flash10d.oca
C:\WINDOWS\system32\msvbvm60.dll\3
<DAreG
         <dc:format>image/jpeg</dc:format>
default
DeleteFileA
DeleteKey
DeleteUrlCacheEntryA
DelFile
DelUrl
dEU6te
+DlI;V
DllFunctionCall
dNT	y~f5#Q
DN-tz_
DoRunEnd
DownloadAD
DPr;;N
dwReserved
dwSize
EAF"L[@
EsFdIs
Es$FGs
ESliceBGColorType
ESliceHorzAlign
ESliceOrigin
ESliceType
ESliceVertAlign
EVENT_SINK2_AddRef
EVENT_SINK2_Release
EVENT_SINK_AddRef
EVENT_SINK_QueryInterface
EVENT_SINK_Release
E:\work\9iflash\olelib.tlb
         <exif:ColorSpace>1</exif:ColorSpace>
         <exif:NativeDigest>36864,40960,40961,37121,37122,40962,40963,37510,40964,36867,36868,33434,33437,34850,34852,34855,34856,37377,37378,37379,37380,37381,37382,37383,37384,37385,37386,37396,41483,41484,41486,41487,41488,41492,41493,41495,41728,41729,41730,41985,41986,41987,41988,41989,41990,41991,41992,41993,41994,41995,41996,42016,0,2,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,20,22,23,24,25,26,27,28,30;0D6D1CF88B0728185AC1E6B2BB187971</exif:NativeDigest>
         <exif:NativeDigest>36864,40960,40961,37121,37122,40962,40963,37510,40964,36867,36868,33434,33437,34850,34852,34855,34856,37377,37378,37379,37380,37381,37382,37383,37384,37385,37386,37396,41483,41484,41486,41487,41488,41492,41493,41495,41728,41729,41730,41985,41986,41987,41988,41989,41990,41991,41992,41993,41994,41995,41996,42016,0,2,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,20,22,23,24,25,26,27,28,30;391E65743AAC59154D0095080A6C4F1E</exif:NativeDigest>
         <exif:NativeDigest>36864,40960,40961,37121,37122,40962,40963,37510,40964,36867,36868,33434,33437,34850,34852,34855,34856,37377,37378,37379,37380,37381,37382,37383,37384,37385,37386,37396,41483,41484,41486,41487,41488,41492,41493,41495,41728,41729,41730,41985,41986,41987,41988,41989,41990,41991,41992,41993,41994,41995,41996,42016,0,2,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,20,22,23,24,25,26,27,28,30;66A6765B17F86E7CC06723AF598D894D</exif:NativeDigest>
         <exif:PixelXDimension>11</exif:PixelXDimension>
         <exif:PixelXDimension>14</exif:PixelXDimension>
         <exif:PixelXDimension>16</exif:PixelXDimension>
         <exif:PixelYDimension>69</exif:PixelYDimension>
f9~tuC
FC:\Program Files\Microsoft Visual Studio\VB98\VBA6.dll
FC:\WINDOWS\system32\stdole2.tlb
F_FullScreen
f_h_old
File2DownLoad
File2Save
FileExists
FileLink
Flash10d.ocx
flash9i
FlashFileLink
FlashMemo
FlashPicPath
FlashSavePath
FlashSaveSign
FlashSwfPath
FlashTitle
FlashWebID
f_l_old
FolderExists
FormlodingStatus
-FPpIC
Frame1
Frame1_b_c
Frame2
Frame2_b_c
Frame3
Frame3Resize
Frame4
Fs0jGsmLGs
f_t_old
Function
,fWlTx
f_w_old
 *gAZ$
GetAsyncKeyState
GetSystemMetrics
gGsfLGsk
	gM;Mk
grfBINDF
grfBSCF
groupIDlong
GsetGs
Gs^iGsD
h>>>>>
h>>>>>>>>
HangUp
HaveChangeCT
h	]C*w
HGsP\Hsc\Hs
hintgameclient
	horzAlignenum
hresult
^Hr,g/f&TGS
Hs&HGs
HssnGs*aHs
HstjGs
http://ns.adobe.com/xap/1.0/
i:1B.1
IBindStatusCallback
IBindStatusCallback_GetBindInfo
IBindStatusCallback_GetPriority
IBindStatusCallback_OnDataAvailable
IBindStatusCallback_OnLowResource
IBindStatusCallback_OnObjectAvailable
IBindStatusCallback_OnProgress
IBindStatusCallback_OnStartBinding
IBindStatusCallback_OnStopBinding
	.ID4Tk
" id="W5M0MpCehiHzreSzNTczkc9d"?>
.IEC 61966-2.1 Default RGB colour space - sRGB
IEC http://www.iec.ch
IEC sRGB
ieframe.dll
I-iN6+
I	jjLFD
Image1
Image2
Image3
Image4
Image5
Image6
InternetAutodial
InternetAutodialHangup
InternetCloseHandle
InternetGetConnectedState
InternetOpenA
InternetOpenUrlA
`i)QFZ
IsbrIs
IsCancelIng
IsDownloadIng
IsEjGs
IstLGs
}#jdh<
}#j`h<
}#j|h\
}#jph<
}#jph8
}#jPhd
}#jPhl
}#jth<
}#jTh8
}#jthL
}#jxh8
} jXh8
*:JZjz
K<5FX=I
K7xKzJ
kernel32
kIspuIsM
KnownTestSites
Label1
Leftlong
leftOutsetlong
lf_l_old
+(L[Gm
-]lia!
l_l_old
l_windows_open
l_windows_w
"L)w"L
l_w_old
M1702b.h
?#M>9H
main_close
main_height
main_width
MDBFilepath
Menumove1
Menumove2
mntrRGB XYZ 
MsgeTEXT
MSVBVM60.DLL
NewVal
 !N\HjQ
NL(abP
NowControlID
NowPlayGameId
NowPlayGameType
NowPlayGameUrl
nullTEXT
o$6OM7
ObjFso9i
	%	:	O	d	y	
o"	j 	h
OldMenuID
olelib
OnLine
Oo`1Y%
}OrH,c
originenum
O@sO0cO SO
\O|^Y}_T{]X
[^~\O|YV
PathString
pbindinfo
<."pd[
pformatetc
Photoshop 3.0
         <photoshop:ColorMode>3</photoshop:ColorMode>
         <photoshop:History/>
         <photoshop:ICCProfile>sRGB IEC61966-2.1</photoshop:ICCProfile>
Picturelb
Picturem1
Picturem2
Picturem3
Picturem4
Picturem5
Picturem6
Picturem7
Picturerb
,PJ)b0
PlayControlFrame
PlayFlashBT1
PlayFlashBT2
PlayFlashBT3
PlayFlashBT4
PlayFlashBT5
PlayFlashWB
Plb_o_m_m
=P~]PC@
Prb_o_m_m
ProgressB1
ProgressB2
ProgressB3
ProgressL
ProgressR
pStgmed
p,^U,D
@===Py
r8!prrr
raE:)L
      </rdf:Description>
      <rdf:Description rdf:about=""
   </rdf:RDF>
   <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">
ReadyState
,Reference Viewing Condition in IEC61966-2.1
Refresh
RegCloseKey
RegCreateKeyA
RegDeleteKeyA
reglink
RegOpenKeyA
RegOpenKeyExA
RegSetValueA
RegSetValueExA
Reserved
RfJ+!r
rf_l_old
Rghtlong
RightADUrl
RightAD_Ver
rightOutsetlong
rIs1hIsf
r_l_old
?|@`	rq
Run_FullScreen
r_windows_open
r_windows_w
r_w_old
SetCursor
SetFileLink
SetMainClose
SetParameter1
SetParameter2
SetParameterB
SetSaveDate1
SetSaveDate2
Shape3
SHDocVwCtl
SHDocVwCtl.WebBrowser
shell32.dll
ShellExecuteA
ShockwaveFlash
ShockwaveFlashObjectsCtl
ShockwaveFlashObjectsCtl.ShockwaveFlash
sliceIDlong
slicesVlLs
sRGB IEC61966-2.1
StartDeleteUrlCache
StartTheStinkinDownLoad
stdole
            <stRef:documentID>uuid:D0AE1D849A22DF1183AAC4DCEB80F844</stRef:documentID>
            <stRef:documentID>uuid:D5AE1D849A22DF1183AAC4DCEB80F844</stRef:documentID>
            <stRef:documentID>uuid:DAAE1D849A22DF1183AAC4DCEB80F844</stRef:documentID>
            <stRef:instanceID>uuid:D0AE1D849A22DF1183AAC4DCEB80F844</stRef:instanceID>
            <stRef:instanceID>uuid:D5AE1D849A22DF1183AAC4DCEB80F844</stRef:instanceID>
            <stRef:instanceID>uuid:DAAE1D849A22DF1183AAC4DCEB80F844</stRef:instanceID>
]S}WS|bJ
Sys_Ver
szError
szStatusText
!This program cannot be run in DOS mode.
         <tiff:NativeDigest>256,257,258,259,262,274,277,284,530,531,282,283,296,301,318,319,529,532,306,270,271,272,305,315,33432;5DF14A1563F5FB1D2758B8E3858002FD</tiff:NativeDigest>
         <tiff:NativeDigest>256,257,258,259,262,274,277,284,530,531,282,283,296,301,318,319,529,532,306,270,271,272,305,315,33432;7ED50E95A04A92F5356A4E20370ACAA8</tiff:NativeDigest>
         <tiff:NativeDigest>256,257,258,259,262,274,277,284,530,531,282,283,296,301,318,319,529,532,306,270,271,272,305,315,33432;92A99703F9D628B574127E3127CB4930</tiff:NativeDigest>
         <tiff:Orientation>1</tiff:Orientation>
         <tiff:ResolutionUnit>2</tiff:ResolutionUnit>
         <tiff:XResolution>720000/10000</tiff:XResolution>
         <tiff:YResolution>720000/10000</tiff:YResolution>
Timer1
Top long
TopMenuID
	topOutsetlong
"tRN.G
T{%\{u
Typeenum
ulProgress
ulProgressMax
ulStatusCode
URLDownloadToFileA
urlmon
URLMON.DLL
urlTEXT
user32
uX>F# _
[U~]Z}\Y}]X
.V4)oR
vb6chs.dll
VBA6.DLL
__vbaBoolVar
__vbaBoolVarNull
__vbaCastObj
__vbaChkstk
__vbaEnd
__vbaErrorOverflow
__vbaExceptHandler
__vbaExitEachColl
__vbaExitProc
__vbaForEachCollVar
__vbaFPException
__vbaFpI4
__vbaFPInt
__vbaFpR4
__vbaFreeObj
__vbaFreeObjList
__vbaFreeStr
__vbaFreeStrList
__vbaFreeVar
__vbaFreeVarg
__vbaFreeVarList
__vbaHresultCheckObj
__vbaI2I4
__vbaI2Str
__vbaI2Var
__vbaI4ErrVar
__vbaI4Str
__vbaI4Var
__vbaLateIdCall
__vbaLateIdCallLd
__vbaLateIdSt
__vbaLateMemCall
__vbaLateMemCallLd
__vbaLateMemSt
__vbaLenBstrB
__vbaLenVar
__vbaLenVarB
__vbaNew
__vbaNew2
__vbaNextEachCollVar
__vbaObjSet
__vbaObjSetAddref
__vbaObjVar
__vbaOnError
__vbaR4Var
__vbaR8IntI4
__vbaResume
__vbaSetSystemError
__vbaStrCat
__vbaStrCmp
__vbaStrCopy
__vbaStrErrVarCopy
__vbaStrI2
__vbaStrI4
__vbaStrMove
__vbaStrR4
__vbaStrToAnsi
__vbaStrToUnicode
__vbaStrVarCopy
__vbaStrVarMove
__vbaStrVarVal
__vbaVarAdd
__vbaVarAnd
__vbaVarCat
__vbaVarCmpNe
__vbaVarCopy
__vbaVarDup
__vbaVarLateMemCallLd
__vbaVarLateMemCallLdRf
__vbaVarMove
__vbaVarNot
__vbaVarOr
__vbaVarSub
__vbaVarTstEq
__vbaVarTstNe
__vbaVarVargNofree
	vertAlignenum
VicBinding
VT i3=Z
WebBrowser
WebBrowser1
WebBrowser2
WebBrowser3
WebDoMainPath
Windows_Box_Caption
Windows_Box_Height
Windows_Box_Width
wininet.dll
*wvgvw<4
         <xap:CreateDate>2010-02-26T13:49:13+08:00</xap:CreateDate>
         <xap:CreateDate>2010-02-26T13:50:05+08:00</xap:CreateDate>
         <xap:CreateDate>2010-02-26T13:50:40+08:00</xap:CreateDate>
         <xap:CreatorTool>Adobe Photoshop CS2 Windows</xap:CreatorTool>
         <xap:MetadataDate>2010-02-26T13:49:13+08:00</xap:MetadataDate>
         <xap:MetadataDate>2010-02-26T13:50:05+08:00</xap:MetadataDate>
         <xap:MetadataDate>2010-02-26T13:50:40+08:00</xap:MetadataDate>
         </xapMM:DerivedFrom>
         <xapMM:DerivedFrom rdf:parseType="Resource">
         <xapMM:DocumentID>uuid:6881ADDE9A22DF1183AAC4DCEB80F844</xapMM:DocumentID>
         <xapMM:DocumentID>uuid:D1AE1D849A22DF1183AAC4DCEB80F844</xapMM:DocumentID>
         <xapMM:DocumentID>uuid:D6AE1D849A22DF1183AAC4DCEB80F844</xapMM:DocumentID>
         <xapMM:InstanceID>uuid:6981ADDE9A22DF1183AAC4DCEB80F844</xapMM:InstanceID>
         <xapMM:InstanceID>uuid:D2AE1D849A22DF1183AAC4DCEB80F844</xapMM:InstanceID>
         <xapMM:InstanceID>uuid:D7AE1D849A22DF1183AAC4DCEB80F844</xapMM:InstanceID>
         <xap:ModifyDate>2010-02-26T13:49:13+08:00</xap:ModifyDate>
         <xap:ModifyDate>2010-02-26T13:50:05+08:00</xap:ModifyDate>
         <xap:ModifyDate>2010-02-26T13:50:40+08:00</xap:ModifyDate>
XICC_PROFILE
            xmlns:dc="http://purl.org/dc/elements/1.1/">
            xmlns:exif="http://ns.adobe.com/exif/1.0/">
            xmlns:photoshop="http://ns.adobe.com/photoshop/1.0/">
            xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#">
            xmlns:tiff="http://ns.adobe.com/tiff/1.0/">
            xmlns:xap="http://ns.adobe.com/xap/1.0/">
            xmlns:xapMM="http://ns.adobe.com/xap/1.0/mm/"
<?xpacket begin="
<?xpacket end="w"?>
</x:xmpmeta>
<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="3.1.1-111">
XZ}^Ux\[
]X{\[zYV
XZ~^Yv][
=Y7DUGPQG\z
YR&/*R~
y~SWWWWW
yy~WWz
yyyySWWz
z3aF 84
[Z}[\{^W~Y[