Analysis Date | 2014-02-19 22:27:13 |
---|---|
MD5 | 7f2b6e45ccd1add5f25b7cf28a8121d4 |
SHA1 | 07acdba82fa1e71412ae5efdcda8460cc9e5294d |
Static Details:
File type | PE32 executable for MS Windows (GUI) Intel 80386 32-bit | |
---|---|---|
Section | .text md5: ac5e3d744071c22733b319fa2d9c3a27 sha1: c12754f2007c6ff3c6a869a11c44646222b82c9c size: 368640 | |
Section | .data md5: 620f0b67a91f7f74151bc5be745b7110 sha1: 1ceaf73df40e531df3bfb26b4fb7cd95fb7bff1d size: 4096 | |
Section | .rsrc md5: 9f814ac591c8b6fb5f82769ed9f1121f sha1: b453a2e85a7ae61840f1284dd55af2a95064600a size: 196608 | |
Timestamp | 2010-03-12 09:34:57 | |
Version | InternalName: hintgameclient FileVersion: 1.00 CompanyName: hintsoft ProductName: 就爱小游戏 ProductVersion: 1.00 FileDescription: 就爱小游戏 OriginalFilename: hintgameclient.exe | |
PEhash | f3ed4c1a90939e2e2d8169b513a826f2d89c4844 | |
IMPhash | 29d8c68138d65f9b5e15b47d97b66592 | |
AV | clamav | W32.Alman-2 |
AV | mcafee | W32/Almanahe.c |
AV | msse | Virus:Win32/Almanahe.B |
AV | avira | W32/Almanahe.B |
AV | avg | Win32/Alman |
Runtime Details:
Screenshot | ![]() |
---|
Process
↳ C:\malware.exe
Registry | HKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝ NULL |
---|---|
Registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝ 1 |
Creates File | C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat |
Creates File | C:\WINDOWS\system32\drivers\IsDrv118.sys |
Creates File | \Device\Afd\AsyncConnectHlp |
Creates File | C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat |
Creates File | C:\Documents and Settings\Administrator\Local Settings\Temp\JET296C.tmp |
Creates File | C:\flash.mdb |
Creates File | C:\WINDOWS\linkinfo.dll |
Creates File | C:\Documents and Settings\Administrator\Cookies\index.dat |
Creates File | PIPE\lsarpc |
Creates File | \Device\Afd\Endpoint |
Deletes File | C:\WINDOWS\system32\drivers\IsDrv118.sys |
Creates Mutex | c:!documents and settings!administrator!local settings!history!history.ie5! |
Creates Mutex | WininetConnectionMutex |
Creates Mutex | c:!documents and settings!administrator!cookies! |
Creates Mutex | c:!documents and settings!administrator!local settings!temporary internet files!content.ie5! |
Winsock DNS | www.9iflash.com |
Process
↳ C:\WINDOWS\Explorer.EXE
Registry | HKEY_CURRENT_USER\SessionInformation\ProgramCount ➝ 1 |
---|---|
Creates File | PIPE\SfcApi |
Creates File | C:\temp\monitor.exe |
Creates File | C:\WINDOWS\system32\drivers\nvmini.sys |
Creates File | C:\temp\files\malware.exe |
Creates File | DL5CProc |
Creates Mutex | __CORE_DL5__ |
Creates Mutex | PNP#DMUTEX#1#DL5 |
Creates Mutex | __DL5_INF__ |
Creates Service | nvmini - system32\drivers\nvmini.sys |
Process
↳ C:\WINDOWS\system32\svchost.exe
Process
↳ C:\WINDOWS\system32\svchost.exe
Process
↳ C:\WINDOWS\System32\svchost.exe
Registry | HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝ NULL |
---|---|
Creates File | PIPE\lsarpc |
Creates File | C:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG |
Creates File | C:\WINDOWS\system32\WBEM\Logs\wbemess.log |
Process
↳ Pid 1072
Process
↳ Pid 1208
Process
↳ C:\WINDOWS\system32\spoolsv.exe
Process
↳ C:\WINDOWS\System32\alg.exe
Process
↳ C:\WINDOWS\system32\svchost.exe
Network Details:
DNS | www.9iflash.com Type: A 64.74.223.44 |
---|---|
HTTP GET | http://www.9iflash.com/ User-Agent: .......... |
HTTP GET | http://www.9iflash.com/client/getsysinfo.php User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727) |
Flows TCP | 192.168.1.1:1031 ➝ 64.74.223.44:80 |
Flows TCP | 192.168.1.1:1033 ➝ 64.74.223.44:80 |
Raw Pcap
0x00000000 (00000) 47455420 2f204854 54502f31 2e310d0a GET / HTTP/1.1.. 0x00000010 (00016) 55736572 2d416765 6e743a20 becdb0ae User-Agent: .... 0x00000020 (00032) d0a1d3ce cfb70d0a 486f7374 3a207777 ........Host: ww 0x00000030 (00048) 772e3969 666c6173 682e636f 6d0d0a43 w.9iflash.com..C 0x00000040 (00064) 6f6e6e65 6374696f 6e3a204b 6565702d onnection: Keep- 0x00000050 (00080) 416c6976 650d0a43 61636865 2d436f6e Alive..Cache-Con 0x00000060 (00096) 74726f6c 3a206e6f 2d636163 68650d0a trol: no-cache.. 0x00000070 (00112) 0d0a .. 0x00000000 (00000) 47455420 2f636c69 656e742f 67657473 GET /client/gets 0x00000010 (00016) 7973696e 666f2e70 68702048 5454502f ysinfo.php HTTP/ 0x00000020 (00032) 312e310d 0a416363 6570743a 202a2f2a 1.1..Accept: */* 0x00000030 (00048) 0d0a4163 63657074 2d456e63 6f64696e ..Accept-Encodin 0x00000040 (00064) 673a2067 7a69702c 20646566 6c617465 g: gzip, deflate 0x00000050 (00080) 0d0a5573 65722d41 67656e74 3a204d6f ..User-Agent: Mo 0x00000060 (00096) 7a696c6c 612f342e 30202863 6f6d7061 zilla/4.0 (compa 0x00000070 (00112) 7469626c 653b204d 53494520 362e303b tible; MSIE 6.0; 0x00000080 (00128) 2057696e 646f7773 204e5420 352e313b Windows NT 5.1; 0x00000090 (00144) 20535631 3b202e4e 45542043 4c522032 SV1; .NET CLR 2 0x000000a0 (00160) 2e302e35 30373237 290d0a48 6f73743a .0.50727)..Host: 0x000000b0 (00176) 20777777 2e396966 6c617368 2e636f6d www.9iflash.com 0x000000c0 (00192) 0d0a436f 6e6e6563 74696f6e 3a204b65 ..Connection: Ke 0x000000d0 (00208) 65702d41 6c697665 0d0a0d0a ep-Alive....
Strings
. . . 080404B0 1.00 10005 15270 #(-27;@EJOTY^chmrw| 9iflash </a> about:blank \ad\images\ Adobe Photoshop Adobe Photoshop CS2 adver application/x-shockwave-flash async <BODY ondragstart="window.event.returnValue=false;" oncontextmenu="window.event.returnValue=false;" > <BODY ondragstart="window.event.returnValue=false;" oncontextmenu="window.event.returnValue=false;" onselectstart="event.returnValue=false;"> BODY {TEXT-ALIGN: center; MARGIN: 1px; FONT-SIZE: 12px; OVERFLOW: hidden} ')"/><br/> \ClientUpdate.exe ClientUpdate.exe Close collection CompanyName Content Type #content {width:98%;} CreateFolder create table flash(id counter (1,1) PRIMARY KEY NOT NULL ,title varchar(200) null,webflashid Long null,downloadtime time null,collection Byte null,flashpath varchar(30) null,picpath varchar(30) null,description memo null) create table sys_parameter(id counter (1,1) PRIMARY KEY NOT NULL ,parametername varchar(20) NOT NULL,parametervalue varchar(30) NOT NULL) ;C:\WINDOWS\ delete * from flash where id= delete * from flash where id= description </div> <div align="center"><img src="file:/// </div></body></html> <div class="xyx4"> <div id="content" align="center" > <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> /downloadad.html downloadtime E*\AE:\work\hintgameclient\flash9i.vbp .exe,0 .exe %1 false FileDescription FileExists filelink filepath FileVersion \flash \flash\ \flashad \flashad\images \flashad\images\ /flashad/rightad.html \flashad\rightad.html flashdelid flashfile flashfile\DefaultIcon flashfile\shell flashfile\shell\open flashfile\shell\open\command flashlocalid \flash.mdb \flash\notimg.gif flashobjid flashpath flashSave flashtitle flashurl FolderExists Frame1 Frame2 function PlayFlash(ObjID) { function ResumeError() {return true;} gameurlpath getElementsByTagName /getsysinfo.php High hintgameclient hintgameclient.exe hintsoft <HTML lang=gb2312><HEAD><TITLE> http:// http://www.9iflash.com http://www.9iflash.com/client http://www.9iflash.com/client/ad/rightad.html http://www.9iflash.com/client/comments.php?flashid= http://www.9iflash.com/client/download/ClientUpdate.exe http://www.9iflash.com/client/download/flash.mdb http://www.9iflash.com/client/download/images/gamememotop.jpg http://www.9iflash.com/client/getflashinfo.php?flashid= http://www.9iflash.com/client/images/notimg.gif http://www.9iflash.com/client/typelist.php?typeid= http://www.9iflash.com/client/typetop.php?typeid= \images \images\gamememotop.jpg /images/gamememotop.jpg" class="list_t"> /images/rightad.gif" width="100" height="300" /></div> <img height="75" alt=" insert into sys_parameter(parametername,parametervalue) values(' InternalName Item ;LANGID=0x0409;CP=1252;COUNTRY=0 /left_tree.html length .list_c {BORDER-BOTTOM: #aaccee 1px solid; BORDER-LEFT: #aaccee 1px solid; BORDER-TOP: #aaccee 0px solid; BORDER-RIGHT: #aaccee 1px solid} .list_t {BORDER-BOTTOM: #aaccee 1px solid; TEXT-ALIGN: center; BORDER-LEFT: #aaccee 0px solid; BORDER-TOP: #aaccee 1px solid; FONT-WEIGHT: bold; COLOR: #FFFFFF; BORDER-RIGHT: #aaccee 0px solid} Load location = "flashlocalid:" + ObjID;} main_close main_height main_width mbmabptebkjcdlgtjmskjwtsdhjbmkmwtrak; m;C:\WINDOWS;. memo Microsoft.XMLDOM Modem Modem (Busy) Name  <a href='flashdelid: , now()) open OriginalFilename &page=1 parametervalue ;Persist Security Info=False picpath picurl ProductName ProductVersion Provider=Microsoft.Jet.OLEDB.4.0;Data Source= Proxy Server /recommended.html /rightad.html rightad_ver </SCRIPT> <SCRIPT language=javascript> <SCRIPT language=javascript>function ResumeError() {return true;} window.onerror = ResumeError;</SCRIPT> /search.php select * from flash where collection=0 and downloadtime<DateAdd("d",- select * from flash where collection=1 order by downloadtime desc select max(id) from flash where webflashid= select parametervalue from sys_parameter where parametername=' select top 100 * from flash order by downloadtime desc select top 1 * from flash select top 1 * from flash where id= select top 1 * from flash where webflashid= ShowAll " src=" StringFileInfo </STYLE> <STYLE> <STYLE type=text/css> .swf sysupdatever sysupdate_ver sysver <TABLE class=list_c border=0 cellSpacing=0 cellPadding=0 width=100% height=100%><TBODY> TD { COLOR: #07519a; FONT-SIZE: 12px} </TD></TR> </TD></TR></TBODY></TABLE></BODY></HTML> Text title " title=" </TITLE><META content="text/html; charset=gb2312" http-equiv=Content-Type></HEAD> /toplist.php Translation <TR><TD height="26" background=" <TR><TD vAlign=top> typelist update flash set collection=1 where id= update flash set downloadtime=' update sys_parameter set parametervalue=' validateOnParse VarFileInfo VS_VERSION_INFO webflashid weburlpath ' where id= ' where parametername=' " width="100" onclick="PlayFlash(' \WIN Window window.onerror = ResumeError; Write .xyx4 {PADDING-RIGHT: 10px; PADDING-LEFT: 10px; FLOAT: left; PADDING-BOTTOM: 0px; WIDTH: 110px; LINE-HEIGHT: 250%; PADDING-TOP: 5px; TEXT-ALIGN: center;FONT-FAMILY: Arial; COLOR: #14316b; FONT-SIZE: 9pt; TEXT-DECORATION: none;CURSOR: hand;} 04Q'$I' #0Y ^;g -1"<16! 2010:02:26 13:49:13 2010:02:26 13:50:05 2010:02:26 13:50:40 22222222 2@|%9s 2jn_\{ 2O#35*iS 3-$4i{! 4 DSvx 59sq`Fs '7GWgw % %8%h% 9'*1'B)'P!'^ )9IYiy :*\<a AA?(((( AC 40D /ACg*F acspMSFT _adj_fdiv_m16i _adj_fdiv_m32 _adj_fdiv_m32i _adj_fdiv_m64 _adj_fdiv_r _adj_fdivr_m16i _adj_fdivr_m32 _adj_fdivr_m32i _adj_fdivr_m64 _adj_fpatan _adj_fprem _adj_fprem1 _adj_fptan Adobe_CM Adobe Photoshop CS2 Windows advapi32.dll _allmul altTagTEXT *AQ"qA autoGenerated B/)1 ) {~,,bB ,bfN^HE bgColorTypeenum bK | bottomOutsetlong boundsObjc bR}YSy_Y Btomlong }^$bwEX %bZ*N '&C3s<( c85-]` cellTextIsHTMLbool cellTextTEXT cf_l_old _CIatan _CIcos _CIexp _CIlog _CIsin _CIsqrt _CItan [CK0lK@ CNetConnect Connected ConnectMode ConnectModeDesc Copyright (c) 1998 Hewlett-Packard Company C:\Program Files\Microsoft Visual Studio\VB98\VB6.OLB CreateDirectoryA CreateFolder CRT curv ,C"ut6N Cwb_Status C:\WINDOWS\system32\ieframe.oca C:\WINDOWS\system32\Macromed\Flash\Flash10d.oca C:\WINDOWS\system32\msvbvm60.dll\3 <DAreG <dc:format>image/jpeg</dc:format> default DeleteFileA DeleteKey DeleteUrlCacheEntryA DelFile DelUrl dEU6te +DlI;V DllFunctionCall dNT y~f5#Q DN-tz_ DoRunEnd DownloadAD DPr;;N dwReserved dwSize EAF"L[@ EsFdIs Es$FGs ESliceBGColorType ESliceHorzAlign ESliceOrigin ESliceType ESliceVertAlign EVENT_SINK2_AddRef EVENT_SINK2_Release EVENT_SINK_AddRef EVENT_SINK_QueryInterface EVENT_SINK_Release E:\work\9iflash\olelib.tlb <exif:ColorSpace>1</exif:ColorSpace> <exif:NativeDigest>36864,40960,40961,37121,37122,40962,40963,37510,40964,36867,36868,33434,33437,34850,34852,34855,34856,37377,37378,37379,37380,37381,37382,37383,37384,37385,37386,37396,41483,41484,41486,41487,41488,41492,41493,41495,41728,41729,41730,41985,41986,41987,41988,41989,41990,41991,41992,41993,41994,41995,41996,42016,0,2,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,20,22,23,24,25,26,27,28,30;0D6D1CF88B0728185AC1E6B2BB187971</exif:NativeDigest> <exif:NativeDigest>36864,40960,40961,37121,37122,40962,40963,37510,40964,36867,36868,33434,33437,34850,34852,34855,34856,37377,37378,37379,37380,37381,37382,37383,37384,37385,37386,37396,41483,41484,41486,41487,41488,41492,41493,41495,41728,41729,41730,41985,41986,41987,41988,41989,41990,41991,41992,41993,41994,41995,41996,42016,0,2,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,20,22,23,24,25,26,27,28,30;391E65743AAC59154D0095080A6C4F1E</exif:NativeDigest> <exif:NativeDigest>36864,40960,40961,37121,37122,40962,40963,37510,40964,36867,36868,33434,33437,34850,34852,34855,34856,37377,37378,37379,37380,37381,37382,37383,37384,37385,37386,37396,41483,41484,41486,41487,41488,41492,41493,41495,41728,41729,41730,41985,41986,41987,41988,41989,41990,41991,41992,41993,41994,41995,41996,42016,0,2,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,20,22,23,24,25,26,27,28,30;66A6765B17F86E7CC06723AF598D894D</exif:NativeDigest> <exif:PixelXDimension>11</exif:PixelXDimension> <exif:PixelXDimension>14</exif:PixelXDimension> <exif:PixelXDimension>16</exif:PixelXDimension> <exif:PixelYDimension>69</exif:PixelYDimension> f9~tuC FC:\Program Files\Microsoft Visual Studio\VB98\VBA6.dll FC:\WINDOWS\system32\stdole2.tlb F_FullScreen f_h_old File2DownLoad File2Save FileExists FileLink Flash10d.ocx flash9i FlashFileLink FlashMemo FlashPicPath FlashSavePath FlashSaveSign FlashSwfPath FlashTitle FlashWebID f_l_old FolderExists FormlodingStatus -FPpIC Frame1 Frame1_b_c Frame2 Frame2_b_c Frame3 Frame3Resize Frame4 Fs0jGsmLGs f_t_old Function ,fWlTx f_w_old *gAZ$ GetAsyncKeyState GetSystemMetrics gGsfLGsk gM;Mk grfBINDF grfBSCF groupIDlong GsetGs Gs^iGsD h>>>>> h>>>>>>>> HangUp HaveChangeCT h ]C*w HGsP\Hsc\Hs hintgameclient horzAlignenum hresult ^Hr,g/f&TGS Hs&HGs HssnGs*aHs HstjGs http://ns.adobe.com/xap/1.0/ i:1B.1 IBindStatusCallback IBindStatusCallback_GetBindInfo IBindStatusCallback_GetPriority IBindStatusCallback_OnDataAvailable IBindStatusCallback_OnLowResource IBindStatusCallback_OnObjectAvailable IBindStatusCallback_OnProgress IBindStatusCallback_OnStartBinding IBindStatusCallback_OnStopBinding .ID4Tk " id="W5M0MpCehiHzreSzNTczkc9d"?> .IEC 61966-2.1 Default RGB colour space - sRGB IEC http://www.iec.ch IEC sRGB ieframe.dll I-iN6+ I jjLFD Image1 Image2 Image3 Image4 Image5 Image6 InternetAutodial InternetAutodialHangup InternetCloseHandle InternetGetConnectedState InternetOpenA InternetOpenUrlA `i)QFZ IsbrIs IsCancelIng IsDownloadIng IsEjGs IstLGs }#jdh< }#j`h< }#j|h\ }#jph< }#jph8 }#jPhd }#jPhl }#jth< }#jTh8 }#jthL }#jxh8 } jXh8 *:JZjz K<5FX=I K7xKzJ kernel32 kIspuIsM KnownTestSites Label1 Leftlong leftOutsetlong lf_l_old +(L[Gm -]lia! l_l_old l_windows_open l_windows_w "L)w"L l_w_old M1702b.h ?#M>9H main_close main_height main_width MDBFilepath Menumove1 Menumove2 mntrRGB XYZ MsgeTEXT MSVBVM60.DLL NewVal !N\HjQ NL(abP NowControlID NowPlayGameId NowPlayGameType NowPlayGameUrl nullTEXT o$6OM7 ObjFso9i % : O d y o" j h OldMenuID olelib OnLine Oo`1Y% }OrH,c originenum O@sO0cO SO \O|^Y}_T{]X [^~\O|YV PathString pbindinfo <."pd[ pformatetc Photoshop 3.0 <photoshop:ColorMode>3</photoshop:ColorMode> <photoshop:History/> <photoshop:ICCProfile>sRGB IEC61966-2.1</photoshop:ICCProfile> Picturelb Picturem1 Picturem2 Picturem3 Picturem4 Picturem5 Picturem6 Picturem7 Picturerb ,PJ)b0 PlayControlFrame PlayFlashBT1 PlayFlashBT2 PlayFlashBT3 PlayFlashBT4 PlayFlashBT5 PlayFlashWB Plb_o_m_m =P~]PC@ Prb_o_m_m ProgressB1 ProgressB2 ProgressB3 ProgressL ProgressR pStgmed p,^U,D @===Py r8!prrr raE:)L </rdf:Description> <rdf:Description rdf:about="" </rdf:RDF> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> ReadyState ,Reference Viewing Condition in IEC61966-2.1 Refresh RegCloseKey RegCreateKeyA RegDeleteKeyA reglink RegOpenKeyA RegOpenKeyExA RegSetValueA RegSetValueExA Reserved RfJ+!r rf_l_old Rghtlong RightADUrl RightAD_Ver rightOutsetlong rIs1hIsf r_l_old ?|@` rq Run_FullScreen r_windows_open r_windows_w r_w_old SetCursor SetFileLink SetMainClose SetParameter1 SetParameter2 SetParameterB SetSaveDate1 SetSaveDate2 Shape3 SHDocVwCtl SHDocVwCtl.WebBrowser shell32.dll ShellExecuteA ShockwaveFlash ShockwaveFlashObjectsCtl ShockwaveFlashObjectsCtl.ShockwaveFlash sliceIDlong slicesVlLs sRGB IEC61966-2.1 StartDeleteUrlCache StartTheStinkinDownLoad stdole <stRef:documentID>uuid:D0AE1D849A22DF1183AAC4DCEB80F844</stRef:documentID> <stRef:documentID>uuid:D5AE1D849A22DF1183AAC4DCEB80F844</stRef:documentID> <stRef:documentID>uuid:DAAE1D849A22DF1183AAC4DCEB80F844</stRef:documentID> <stRef:instanceID>uuid:D0AE1D849A22DF1183AAC4DCEB80F844</stRef:instanceID> <stRef:instanceID>uuid:D5AE1D849A22DF1183AAC4DCEB80F844</stRef:instanceID> <stRef:instanceID>uuid:DAAE1D849A22DF1183AAC4DCEB80F844</stRef:instanceID> ]S}WS|bJ Sys_Ver szError szStatusText !This program cannot be run in DOS mode. <tiff:NativeDigest>256,257,258,259,262,274,277,284,530,531,282,283,296,301,318,319,529,532,306,270,271,272,305,315,33432;5DF14A1563F5FB1D2758B8E3858002FD</tiff:NativeDigest> <tiff:NativeDigest>256,257,258,259,262,274,277,284,530,531,282,283,296,301,318,319,529,532,306,270,271,272,305,315,33432;7ED50E95A04A92F5356A4E20370ACAA8</tiff:NativeDigest> <tiff:NativeDigest>256,257,258,259,262,274,277,284,530,531,282,283,296,301,318,319,529,532,306,270,271,272,305,315,33432;92A99703F9D628B574127E3127CB4930</tiff:NativeDigest> <tiff:Orientation>1</tiff:Orientation> <tiff:ResolutionUnit>2</tiff:ResolutionUnit> <tiff:XResolution>720000/10000</tiff:XResolution> <tiff:YResolution>720000/10000</tiff:YResolution> Timer1 Top long TopMenuID topOutsetlong "tRN.G T{%\{u Typeenum ulProgress ulProgressMax ulStatusCode URLDownloadToFileA urlmon URLMON.DLL urlTEXT user32 uX>F# _ [U~]Z}\Y}]X .V4)oR vb6chs.dll VBA6.DLL __vbaBoolVar __vbaBoolVarNull __vbaCastObj __vbaChkstk __vbaEnd __vbaErrorOverflow __vbaExceptHandler __vbaExitEachColl __vbaExitProc __vbaForEachCollVar __vbaFPException __vbaFpI4 __vbaFPInt __vbaFpR4 __vbaFreeObj __vbaFreeObjList __vbaFreeStr __vbaFreeStrList __vbaFreeVar __vbaFreeVarg __vbaFreeVarList __vbaHresultCheckObj __vbaI2I4 __vbaI2Str __vbaI2Var __vbaI4ErrVar __vbaI4Str __vbaI4Var __vbaLateIdCall __vbaLateIdCallLd __vbaLateIdSt __vbaLateMemCall __vbaLateMemCallLd __vbaLateMemSt __vbaLenBstrB __vbaLenVar __vbaLenVarB __vbaNew __vbaNew2 __vbaNextEachCollVar __vbaObjSet __vbaObjSetAddref __vbaObjVar __vbaOnError __vbaR4Var __vbaR8IntI4 __vbaResume __vbaSetSystemError __vbaStrCat __vbaStrCmp __vbaStrCopy __vbaStrErrVarCopy __vbaStrI2 __vbaStrI4 __vbaStrMove __vbaStrR4 __vbaStrToAnsi __vbaStrToUnicode __vbaStrVarCopy __vbaStrVarMove __vbaStrVarVal __vbaVarAdd __vbaVarAnd __vbaVarCat __vbaVarCmpNe __vbaVarCopy __vbaVarDup __vbaVarLateMemCallLd __vbaVarLateMemCallLdRf __vbaVarMove __vbaVarNot __vbaVarOr __vbaVarSub __vbaVarTstEq __vbaVarTstNe __vbaVarVargNofree vertAlignenum VicBinding VT i3=Z WebBrowser WebBrowser1 WebBrowser2 WebBrowser3 WebDoMainPath Windows_Box_Caption Windows_Box_Height Windows_Box_Width wininet.dll *wvgvw<4 <xap:CreateDate>2010-02-26T13:49:13+08:00</xap:CreateDate> <xap:CreateDate>2010-02-26T13:50:05+08:00</xap:CreateDate> <xap:CreateDate>2010-02-26T13:50:40+08:00</xap:CreateDate> <xap:CreatorTool>Adobe Photoshop CS2 Windows</xap:CreatorTool> <xap:MetadataDate>2010-02-26T13:49:13+08:00</xap:MetadataDate> <xap:MetadataDate>2010-02-26T13:50:05+08:00</xap:MetadataDate> <xap:MetadataDate>2010-02-26T13:50:40+08:00</xap:MetadataDate> </xapMM:DerivedFrom> <xapMM:DerivedFrom rdf:parseType="Resource"> <xapMM:DocumentID>uuid:6881ADDE9A22DF1183AAC4DCEB80F844</xapMM:DocumentID> <xapMM:DocumentID>uuid:D1AE1D849A22DF1183AAC4DCEB80F844</xapMM:DocumentID> <xapMM:DocumentID>uuid:D6AE1D849A22DF1183AAC4DCEB80F844</xapMM:DocumentID> <xapMM:InstanceID>uuid:6981ADDE9A22DF1183AAC4DCEB80F844</xapMM:InstanceID> <xapMM:InstanceID>uuid:D2AE1D849A22DF1183AAC4DCEB80F844</xapMM:InstanceID> <xapMM:InstanceID>uuid:D7AE1D849A22DF1183AAC4DCEB80F844</xapMM:InstanceID> <xap:ModifyDate>2010-02-26T13:49:13+08:00</xap:ModifyDate> <xap:ModifyDate>2010-02-26T13:50:05+08:00</xap:ModifyDate> <xap:ModifyDate>2010-02-26T13:50:40+08:00</xap:ModifyDate> XICC_PROFILE xmlns:dc="http://purl.org/dc/elements/1.1/"> xmlns:exif="http://ns.adobe.com/exif/1.0/"> xmlns:photoshop="http://ns.adobe.com/photoshop/1.0/"> xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#"> xmlns:tiff="http://ns.adobe.com/tiff/1.0/"> xmlns:xap="http://ns.adobe.com/xap/1.0/"> xmlns:xapMM="http://ns.adobe.com/xap/1.0/mm/" <?xpacket begin=" <?xpacket end="w"?> </x:xmpmeta> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="3.1.1-111"> XZ}^Ux\[ ]X{\[zYV XZ~^Yv][ =Y7DUGPQG\z YR&/*R~ y~SWWWWW yy~WWz yyyySWWz z3aF 84 [Z}[\{^W~Y[