MD5: a25d70caefbaaaba417a4e921bdfe22e
SHA1: 54826657d29dc8dbbf4b4f26ddbd40822a73fdc3
SHA256: f36ef4099a14ea8e6dc13d088ed64fcf37c09e9ccf6310954263a29889c5ee7d
SSDeep: 49152:qFcNRTxrt8KxSRzYYiaj zMfVixxIcpeES2:qaRTxB9yYesMfSIcpeES
Size: 1781760 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PackerUPXCompresorGratuitowwwupxsourceforgenet, UPolyXv05_v6
Company: no certificate found
Created at: 2010-11-08 15:12:07
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

FIFA-Fest.EXE:1572
FIFA.exe:1672
%original file name%.exe:1848
DemoPri.exe:1608

The Trojan injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process FIFA-Fest.EXE:1572 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\FIFA.exe (24272 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\DemoPri.exe (1815 bytes)

The process FIFA.exe:1672 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\E.tmp\FIFA-2014.ppsx (8594 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E.tmp\2.bat (59 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\E.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E.tmp\2.bat (0 bytes)

The process %original file name%.exe:1848 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\D.tmp\FIFA-Fest.EXE (10315 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\D.tmp\4.bat (58 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\D.tmp\4.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\D.tmp (0 bytes)

The process DemoPri.exe:1608 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\update.log (22516 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (169 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@microsoft[1].txt (373 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\SetupErr.log (22516 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\setupapi.log (7332 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (279 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (671 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (5204 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@microsoft[2].txt (373 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\msdtc.log (22516 bytes)
%WinDir%\wuapp.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\scesetup.log (22516 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@microsoft[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@microsoft[2].txt (0 bytes)

Registry activity

The process FIFA-Fest.EXE:1572 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "ED 86 E6 4C D5 39 DF 11 1A E0 FC 56 B6 AE DE 43"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\"

The process FIFA.exe:1672 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "75 37 FB 37 14 50 22 36 52 FC 96 2D 12 DC 68 0D"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Local Settings\Temp\E.tmp]
"2.bat" = "2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process %original file name%.exe:1848 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1C E9 21 C9 C8 55 54 B6 FC 09 45 45 83 72 6B AE"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Local Settings\Temp\D.tmp]
"4.bat" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process DemoPri.exe:1608 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "97 59 1E 51 73 59 8C DF 4C DE E7 11 0A 74 96 08"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Update" = "c:\windows\wuapp.exe"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://www.wikipedia.org/	91.198.174.192
hxxp://e10088.dspb.akamaiedge.net/
hxxp://e10088.dspb.akamaiedge.net/uk-ua/
hxxp://www.google.com/	173.194.113.210
hxxp://www.google.com.ua/?gfe_rd=cr&ei=a6TLVbKaO4_IYOCBvMgG	173.194.113.215
hxxp://www.microsoft.com/	23.60.20.155
hxxp://www.microsoft.com/uk-ua/	23.60.20.155

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET TROJAN Suspicious User-Agent (MSIE)

Traffic

GET /?gfe_rd=cr&ei=a6TLVbKaO4_IYOCBvMgG HTTP/1.1

Accept: */*

User-Agent: MSIE

Connection: Keep-Alive

Cache-Control: no-cache

Host: VVV.google.com.ua

HTTP/1.1 200 OK

Date: Wed, 12 Aug 2015 19:54:20 GMT

Expires: -1

Cache-Control: private, max-age=0

Content-Type: text/html; charset=windows-1251

P3P: CP="This is not a P3P policy! See hXXp://VVV.google.com/support/accounts/bin/answer.py?hl=en&answer=151657 for more info."

Server: gws

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

Set-Cookie: PREF=ID=1111111111111111:FF=0:TM=1439409260:LM=1439409260:V=1:S=qzt9cjTfuQkcaDO9; expires=Fri, 11-Aug-2017 19:54:20 GMT; path=/; domain=.google.com.ua

Set-Cookie: NID=70=jwNSHqRQ0KtDIdb8D72v8GB6TvfdnYuM6DWln0YzAVtnkBxpb_5QqG3GveuhS4so-z8rti0Fk8CCTkmQF1VHeWLMgCw7FjkZnmGAsTvm3AJxCziHnF16WZtdqy4i2C7W; expires=Thu, 11-Feb-2016 19:54:20 GMT; path=/; domain=.google.com.ua; HttpOnly

Accept-Ranges: none

Vary: Accept-Encoding

Transfer-Encoding: chunked
ee7..<!doctype html><html itemscope="" itemtype="hXXp://schem
a.org/WebPage" lang="uk"><head><meta content="text/html; c
harset=windows-1251" http-equiv="content-type"><meta content="/i
mages/google_favicon_128.png" itemprop="image"><title>Google&
lt;/title><script>(function(){window.google={kEI:'bKTLVcGWBOK
cygPgj5GgCw',kEXPI:'3700276,3700372,4020726,4029815,4031109,4032235,40
32500,4032678,4033307,4033344,4034882,4036527,4036671,4036848,4037333,
4037457,4037531,4037569,4037981,4038012,4038464,4039462,4039879,403989
5,4040112,4040135,4040361,4040676,4040849,4040865,4040958,4041304,4041
440,4041507,4041974,4042059,4042180,4042270,4042384,4042695,4042833,40
43026,4043254,4043411,4043428,4043564,4043718,4043754,4044411,8300200,
8300203,8500394,8500572,8500851,8501294,8501407,8501489,8501987,102000
83,10201335,10201342',authuser:0,kscs:'c9c918f0_10'};google.kHL='uk';}
)();(function(){google.lc=[];google.li=0;google.getEI=function(a){for(
var b;a&&(!a.getAttribute||!(b=a.getAttribute("eid")));)a=a.parentNode
;return b||google.kEI};google.getLEI=function(a){for(var b=null;a&&(!a
.getAttribute||!(b=a.getAttribute("leid")));)a=a.parentNode;return b};
google.https=function(){return"https:"==window.location.protocol};goog
le.ml=function(){return null};google.time=function(){return(new Date).
getTime()};google.log=function(a,b,d,e,g){a=google.logUrl(a,b,d,e,g);i
f(""!=a){b=new Image;var c=google.lc,f=google.li;c[f]=b;b.onerror=b.on
load=b.onabort=function(){delete c[f]};window.google&&window.googl
<<< skipped >>>

GET /?gfe_rd=cr&ei=a6TLVbKaO4_IYOCBvMgG HTTP/1.1

Accept: */*

User-Agent: MSIE

Cookie: PREF=ID=1111111111111111:FF=0:TM=1439409260:LM=1439409260:V=1:S=qzt9cjTfuQkcaDO9; NID=70=jwNSHqRQ0KtDIdb8D72v8GB6TvfdnYuM6DWln0YzAVtnkBxpb_5QqG3GveuhS4so-z8rti0Fk8CCTkmQF1VHeWLMgCw7FjkZnmGAsTvm3AJxCziHnF16WZtdqy4i2C7W

Connection: Keep-Alive

Cache-Control: no-cache

Host: VVV.google.com.ua

HTTP/1.1 200 OK

Date: Wed, 12 Aug 2015 19:54:20 GMT

Expires: -1

Cache-Control: private, max-age=0

Content-Type: text/html; charset=windows-1251

Server: gws

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

Accept-Ranges: none

Vary: Accept-Encoding

Transfer-Encoding: chunked
2448..<!doctype html><html itemscope="" itemtype="hXXp://sche
ma.org/WebPage" lang="uk"><head><meta content="text/html; 
charset=windows-1251" http-equiv="content-type"><meta content="/
images/google_favicon_128.png" itemprop="image"><title>Google
</title><script>(function(){window.google={kEI:'bKTLVaiACo
LIyAPj9ZegBA',kEXPI:'3700276,3700372,4020726,4029815,4031109,4032235,4
032500,4032678,4033307,4033344,4034882,4036527,4036671,4036848,4037333
,4037457,4037531,4037569,4037981,4038012,4038464,4039462,4039879,40398
95,4040112,4040135,4040361,4040676,4040849,4040865,4040958,4041304,404
1440,4041507,4041974,4042059,4042180,4042270,4042384,4042695,4042833,4
043026,4043254,4043411,4043564,4043615,4043718,4044307,4044309,4044411
,8300200,8300203,8500394,8500572,8500851,8501294,8501407,8501489,85019
87,10200083,10201335,10201342',authuser:0,kscs:'c9c918f0_10'};google.k
HL='uk';})();(function(){google.lc=[];google.li=0;google.getEI=functio
n(a){for(var b;a&&(!a.getAttribute||!(b=a.getAttribute("eid")));)a=a.p
arentNode;return b||google.kEI};google.getLEI=function(a){for(var b=nu
ll;a&&(!a.getAttribute||!(b=a.getAttribute("leid")));)a=a.parentNode;r
eturn b};google.https=function(){return"https:"==window.location.proto
col};google.ml=function(){return null};google.time=function(){return(n
ew Date).getTime()};google.log=function(a,b,d,e,g){a=google.logUrl(a,b
,d,e,g);if(""!=a){b=new Image;var c=google.lc,f=google.li;c[f]=b;b.one
rror=b.onload=b.onabort=function(){delete c[f]};window.google&&win
<<< skipped >>>

GET / HTTP/1.1

Accept: */*

User-Agent: MSIE

Host: VVV.microsoft.com

Connection: Keep-Alive

Cache-Control: no-cache

Cookie: MC1=V=3&GUID=489b59b88cff45798f407a73595398d1

HTTP/1.1 302 Moved Temporarily

Server: AkamaiGHost

Content-Length: 0

Location: hXXp://VVV.microsoft.com/uk-ua/

Date: Wed, 12 Aug 2015 19:54:16 GMT

Connection: keep-alive

X-CCC: SE

X-CID: 2
....


GET /uk-ua/ HTTP/1.1

Accept: */*

User-Agent: MSIE

Host: VVV.microsoft.com

Connection: Keep-Alive

Cache-Control: no-cache

Cookie: MC1=V=3&GUID=489b59b88cff45798f407a73595398d1

HTTP/1.1 200 OK

Cache-Control: no-cache, no-store

Pragma: no-cache

Content-Type: text/html

Expires: -1

Server: Microsoft-IIS/8.0

CorrelationVector: 5Inz3zU750quvUPY.1.2

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Access-Control-Allow-Headers: Content-Type

Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS

Access-Control-Allow-Credentials: true

P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"

Content-Length: 82316

Date: Wed, 12 Aug 2015 19:54:18 GMT

Connection: keep-alive

Set-Cookie: MS-CV=5Inz3zU750quvUPY.1; domain=.microsoft.com; expires=Thu, 13-Aug-2015 19:54:17 GMT; path=/

X-CCC: SE

X-CID: 2
...<!DOCTYPE html ><html xmlns:mscom="hXXp://schemas.microsof
t.com/CMSvNext" xmlns:md="hXXp://schemas.microsoft.com/mscom-data" lan
g="uk" xmlns="hXXp://VVV.w3.org/1999/xhtml"><head><meta ht
tp-equiv="X-UA-Compatible" content="IE=edge" /><meta charset="ut
f-8" /><meta name="viewport" content="width=device-width, initia
l-scale=1.0" /><link rel="shortcut icon" href="//VVV.microsoft.c
om/favicon.ico?v2" /><script type="text/javascript" src="hXXp://
ajax.aspnetcdn.com/ajax/jQuery/jquery-1.7.2.min.js"> ..           /
/ Third party scripts and code linked to or referenced from this websi
te are licensed to you by the parties that own such code, not by Micro
soft. See ASP.NET Ajax CDN Terms of Use - hXXp://VVV.asp.net/ajaxlibra
ry/CDN.ashx...       </script><script type="text/javascript" 
language="javascript">/*<![CDATA[*/if($(document).bind("mobilein
it",function(){$.mobile.autoInitializePage=!1}),navigator.userAgent.ma
tch(/IEMobile\/10\.0/)){var msViewportStyle=document.createElement("st
yle");msViewportStyle.appendChild(document.createTextNode("@-ms-viewpo
rt{width:auto!important}")),document.getElementsByTagName("head")[0].a
ppendChild(msViewportStyle)}/*]]>*/</script><script type="
text/javascript" src="hXXp://ajax.aspnetcdn.com/ajax/jquery.mobile/1.3
.2/jquery.mobile-1.3.2.min.js"></script><script type="text
/javascript" src="hXXp://i.s-microsoft.com/library/svy/broker.js">&
lt;/script><script type="text/javascript" src="hXXp://c.webt
<<< skipped >>>

GET /uk-ua/ HTTP/1.1

Accept: */*

User-Agent: MSIE

Host: VVV.microsoft.com

Connection: Keep-Alive

Cache-Control: no-cache

Cookie: MC1=V=3&GUID=489b59b88cff45798f407a73595398d1; MS-CV=5Inz3zU750quvUPY.1

HTTP/1.1 200 OK

Cache-Control: no-cache, no-store

Pragma: no-cache

Content-Type: text/html

Expires: -1

Server: Microsoft-IIS/8.5

CorrelationVector: 5Inz3zU750quvUPY.2.1

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Access-Control-Allow-Headers: Content-Type

Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS

Access-Control-Allow-Credentials: true

P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"

Content-Length: 82322

Date: Wed, 12 Aug 2015 19:54:19 GMT

Connection: keep-alive

Set-Cookie: MS-CV=5Inz3zU750quvUPY.2; domain=.microsoft.com; expires=Thu, 13-Aug-2015 19:54:19 GMT; path=/

X-CCC: SE

X-CID: 2
...<!DOCTYPE html ><html xmlns:mscom="hXXp://schemas.microsof
t.com/CMSvNext" xmlns:md="hXXp://schemas.microsoft.com/mscom-data" lan
g="uk" xmlns="hXXp://VVV.w3.org/1999/xhtml"><head><meta ht
tp-equiv="X-UA-Compatible" content="IE=edge" /><meta charset="ut
f-8" /><meta name="viewport" content="width=device-width, initia
l-scale=1.0" /><link rel="shortcut icon" href="//VVV.microsoft.c
om/favicon.ico?v2" /><script type="text/javascript" src="hXXp://
ajax.aspnetcdn.com/ajax/jQuery/jquery-1.7.2.min.js"> ..           /
/ Third party scripts and code linked to or referenced from this websi
te are licensed to you by the parties that own such code, not by Micro
soft. See ASP.NET Ajax CDN Terms of Use - hXXp://VVV.asp.net/ajaxlibra
ry/CDN.ashx...       </script><script type="text/javascript" 
language="javascript">/*<![CDATA[*/if($(document).bind("mobilein
it",function(){$.mobile.autoInitializePage=!1}),navigator.userAgent.ma
tch(/IEMobile\/10\.0/)){var msViewportStyle=document.createElement("st
yle");msViewportStyle.appendChild(document.createTextNode("@-ms-viewpo
rt{width:auto!important}")),document.getElementsByTagName("head")[0].a
ppendChild(msViewportStyle)}/*]]>*/</script><script type="
text/javascript" src="hXXp://ajax.aspnetcdn.com/ajax/jquery.mobile/1.3
.2/jquery.mobile-1.3.2.min.js"></script><script type="text
/javascript" src="hXXp://i.s-microsoft.com/library/svy/broker.js">&
lt;/script><script type="text/javascript" src="hXXp://c.webt
<<< skipped >>>

GET / HTTP/1.1

Accept: */*

User-Agent: MSIE

Host: VVV.wikipedia.org

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 301 TLS Redirect

Server: Varnish

Location: hXXps://VVV.wikipedia.org/

Content-Length: 0

Accept-Ranges: bytes

Date: Wed, 12 Aug 2015 19:54:16 GMT

X-Varnish: 4019962526

Age: 0

Via: 1.1 varnish

Connection: close

X-Cache: cp3041 frontend miss (0)

Set-Cookie: GeoIP=UA:::50.4500:30.5233:v4; Path=/; Domain=.wikipedia.org

Set-Cookie: WMF-Last-Access=12-Aug-2015;Path=/;HttpOnly;Expires=Sun, 13 Sep 2015 12:00:00 GMT

GET / HTTP/1.1

Accept: */*

User-Agent: MSIE

Host: VVV.google.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 302 Found

Cache-Control: private

Content-Type: text/html; charset=UTF-8

Location: hXXp://VVV.google.com.ua/?gfe_rd=cr&ei=a6TLVbKaO4_IYOCBvMgG

Content-Length: 260

Date: Wed, 12 Aug 2015 19:54:19 GMT

Server: GFE/2.0
<HTML><HEAD><meta http-equiv="content-type" content="te
xt/html;charset=utf-8">.<TITLE>302 Moved</TITLE></HE
AD><BODY>.<H1>302 Moved</H1>.The document has mov
ed.<A HREF="hXXp://VVV.google.com.ua/?gfe_rd=cr&ei=a6TLVbKaO4_I
YOCBvMgG">here</A>...</BODY></HTML>..HTTP/1.1 302
 Found..Cache-Control: private..Content-Type: text/html; charset=UTF-8
..Location: hXXp://VVV.google.com.ua/?gfe_rd=cr&ei=a6TLVbKaO4_IYOCBvMg
G..Content-Length: 260..Date: Wed, 12 Aug 2015 19:54:19 GMT..Server: G
FE/2.0..<HTML><HEAD><meta http-equiv="content-type" con
tent="text/html;charset=utf-8">.<TITLE>302 Moved</TITLE>
;</HEAD><BODY>.<H1>302 Moved</H1>.The document
 has moved.<A HREF="hXXp://VVV.google.com.ua/?gfe_rd=cr&ei=a6TL
VbKaO4_IYOCBvMgG">here</A>...</BODY></HTML>....

The Trojan connects to the servers at the folowing location(s):

.text

`.data

.rsrc

ADVAPI32.dll

KERNEL32.dll

NTDLL.DLL

GDI32.dll

USER32.dll

COMCTL32.dll

VERSION.dll

advapi32.dll

advpack.dll

wininit.ini

Software\Microsoft\Windows\CurrentVersion\App Paths

setupapi.dll

setupx.dll

IXPd.TMP

TMP4351$.TMP

FINISHMSG

USRQCMD

ADMQCMD

msdownld.tmp

wextract.pdb

PSSSSSSh

RegCloseKey

RegOpenKeyExA

RegCreateKeyExA

RegQueryInfoKeyA

GetWindowsDirectoryA

ExitWindowsEx

MsgWaitForMultipleObjects

rundll32.exe %s,InstallHinfSection %s 128 %s

SHELL32.DLL

Software\Microsoft\Windows\CurrentVersion\RunOnce

PendingFileRenameOperations

System\CurrentControlSet\Control\Session Manager\FileRenameOperations

wextract_cleanup%d

%s /D:%s

rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"

Command.com /c %s

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\

33333330

3333333

33333333

FIFA.exe

DemoPri.exe

TK.rO

%dI "

Q%f\D

`.nkVc

~a%Sq

fTpg

F.mCk

.cx(U9

pi.rv

b.IE)

$%s~{

Cg.wE

{"%FM

D".vN

).Vq/

.Ss0~

7.ö

U%Utr Z

>v.LX)#>p

%u6b%

l.jK[

BK%FS

N^ú

.tsQ9Y

aD.Av

~.KWU^

-lI8.xI<

pw.sW

:y'J3.vc

l.qq[

3.Osg

vY.PNN

fc[oW.Rva

[email protected]

6.cX 

oy%ch

.XHl p

%7s=MQ

\.vBM

^}%cG

{KB.er

z8y.Sw

:\e.wb

mSgb

%C]PK

k.fuO

OwWW.

%fya)

%sASc

VW|"%sX

yE.cYI

.MO>$K

R.wl${^V

1s.Nh{

%u;KwG

..SzWzW

%UN6}

2.pD|

duL.UvW

3>8F(Ö

kv.ahe@

/r.MC^

Q.qLhy3

`qp\/U

{%c<~

%xW.c

g^n%f

.jw5^

%U;L%xJ

cs.Jf

TcpY

3%c'y

s.tv:

;n%xv

4.pgp

.WE8$,x

.UV^o

ycb.Aj

%fUY1

\.kB^g

t%Djl

.Ob1c

B[ |.lU

V%Dr=

M&B"Qc.fp>

h<.hX<

C;URL6

}.DZqJ4%s

FN[.RD

%x85P3

8{f%c@b

(.MNf

.Qg |

zg.AXi

LO=}.wwv(

{%SHj

7Z:%C

>.wqc

.bLh/~'

/hb%f

pGS0%D

T.gLf

X%XuEa

.rn\V

}x:r%sxwr/

P%uEM

&XÌ?FI

i.zx_

.IAn511

geXe

%f.EK

X]3.GeI

Ý,1

X %FQ

!.Zrg

z%U J

.yI`,D2

.ox/Q

&_|jGSôE

-7}Op

3`.rO

'?.gd~

r.OTq8

%U@(;-

-J.bh7J

2%D)R^%

WeB~$

P.wMk

81.nI

48_G.cf

Ws.iu

h0P%uz

rtE%sx

m2ÏQu

Uu.WQL

#Q.xKhE

TcP-g[

u%f%pk

.Cqqc

.RdD{

4~.iub

tt]%f

UP*.hMy

rW%FyoO

<%u_5.W$E

%X[pd|

'i.qx

/K_vW.hR>

42~Ó

Please read the following license agreement. Press the PAGE DOWN key to see the rest of the agreement.

CFailed to get disk space information from: %s.

System Message: %s.&A required resource cannot be located. Are you sure you want to cancel?

8Unable to retrieve operating system version information.!Memory allocation request failed.

Filetable full.Ên not change to destination folder.

Setup could not find a drive with %s KB free disk space to install the program. Please free up some space first and press RETRY or press CANCEL to exit setup.KThat folder is invalid. Please make sure the folder exists and is writable.IYou must specify a folder with fully qualified pathname or choose Cancel.!Could not update folder edit box.5Could not load functions required for browser dialog.7Could not load Shell32.dll required for browser dialog.

(Error creating process <%s>. Reason: %s1The cluster size in this system is not supported.,A required resource appears to be corrupted.QWindows 95 or Windows NT 4.0 Beta 2 or greater is required for this installation.

Error loading %shGetProcAddress() failed on function '%s'. Possible reason: incorrect version of advpack.dll being used./Windows 95 or Windows NT is required to install

Could not create folder '%s'

To install this program, you need %s KB disk space on drive %s. It is recommended that you free up the required disk space before you continue.

Error retrieving Windows folder

$NT Shutdown: OpenProcessToken error.)NT Shutdown: AdjustTokenPrivileges error.!NT Shutdown: ExitWindowsEx error.}Extracting file failed. It is most likely caused by low memory (low disk space for swapping file) or corrupted Cabinet file.aThe setup program could not retrieve the volume information for drive (%s) .

System message: %s.xSetup could not find a drive with %s KB free disk space to install the program. Please free up some space and try again.eThe installation program appears to be damaged or corrupted. Contact the vendor of this application.

/C:<Cmd> -- Override Install Command defined by author.

eAnother copy of the '%s' package is already running on your system. Do you want to run another copy?

Could not find the file: %s.

:The folder '%s' does not exist. Do you want to create it?hAnother copy of the '%s' package is already running on your system. You can only run one copy at a time.OThe '%s' package is not compatible with the version of Windows you are running.SThe '%s' package is not compatible with the version of the file: %s on your system.

6.00.2900.5512 (xpsp.080413-2105)

WEXTRACT.EXE

Windows

Operating System

6.00.2900.5512

pptview.exe_1684:

.text

`.data

.rsrc

@.reloc

.BX @B}

-B}E-B

.Bpq-B|

.BT&.BT&.B

.SBl?IB9

.Bo *Bo *B

.'D?.fA?.sA?.

B?.'B?.7B?.GB?.WB?.

.gB?.

.wB?.

C?.'C?.7C?.GC?.WC?.gC?.wC?.

fA?.sA?.

B?.'B?.-E?.=E?.WB?.'

B?.ME?.

C?.'C?.7C?.GC?.WC?.gC?.]E?.

B?.'B?.-E?.=E?.WB?.t

.gB?.V

B?.ME?.@

B?.'B?.-E?.=E?.WB?.

.gB?.7

B?.'B?.-E?.=E?.WB?.F

.Mp,.Mp,.

.Mp,.Mp,.X>

F?.WB?.

.Mp,.

.Mp,.P

.Unicows.dll

Kernel32.dll

.CreateActCtxW

.PowerPoint 12.0 Internal Shapes

?.Mp,.l

.Mp,.M

?.DirectSoundCreate8

.Mp,.E

# PresentError - video filter passed us invalid or unexpected parameters.

# These values are reported by video filter's IQualProp interface, and report video filter state (not PPT/OfficeArt/Gfx state). See IQualProp for details.

# PowerPoint version %d.%d.%d.%d %s (%s, built by %s)

.AnsiTranslationWindowClass

.xr).g$

.Mp,.{q

q,.Mp,.X>

>:.Fk:.}m:.fk:.

;:.CZ:.

i'.qy

.Mp,.r

.XN3.X>

.xr).

C?.'C?.7C?.GC?.WC?.gC?.

B?.'B?.-E?.=E?.WB?.l

.gB?.V 

q,.Mp,.Mp,.X>

F?.WB?.QJ

.Mp,.X>

B?.'B?.-E?.=E?.WB?.vT

B?.lQ

3?.gB

B?.zH

C?.'C?.7C?.GC?.WC?.gC?.oX

B?.'B?.-E?.=E?.WB?.3[

B?.GY

..ASX

.MCIFullscreenWindow

>.o%8.S

MSIMEMouseOperation

.Ep,.y

.Ep,.jZ

.Ep,.VS

.Ep,.Ep,.

.Comctl32.dll

.Mp,.:

q,.Mp,.Mp,.

.WM_CAG_ENTERMODAL

.PPTNonBootFiles

PPTViewerWebDownloadFiles

POWERPNT.EXE

PPTVIEW.EXE_0001

PPTIRMV.XML

PPTIRM.XML

MSPPT.OLB

PPINTL.DLL

q,.Mp,.

4?. 4?.&4?.,4?.24?.84?.>4?.*

[,.fC

c?.gB?.

.ME?.

B?.'B?.-E?.=E?.WB?.,7

.Mp,.zd

OpenLinkedPresentationsAsShows

Import

FlattenedExportResolution

ForceShellExecute

OverrideForceShellExecute

MSGraphEnable

BlockHTTPImages

ExportBitmapResolution

Export

Windows

HKEY_LOCAL_MACHINE

HKEY_CURRENT_USER

msptls.dll

.PPPrintThreadDone

A?.uJ

B?.XN

C?.'C?.7C?.GC?.

.gC?.]E?.

.=E?.WB?.UD

.gB?.NL

ExportGr

>.zwnj

.Mp,.B

.SLUrl

F?.zI

.3i2.na

.xr)."

.WB?.

.GC?.e

&.Mp,.3i2.

.=E?.WB?.

.gB?.I

B?.'B?.-E?.=E?.WB?.r

".gB?.

B?.'B?.-E?.=E?.WB?.q

.gB?.m

.gB?.l

j?.-E?.=E?.WB?.

c?.gB?.7

.GC?. V

.gC?.

.Mp,.c

4?.sF

4?.Je

5?."5?.(5?..5?.45?.

.?9=.1,=.

.tk .

4?. 4?.&4?.,4?.24?.84?.>4?.Uk .

.Mp,.

6?.jt .

6?.$6?.*6?.06?.66?.<6?.

6?.Ux .

6?.ou .

?.Mp,.

.Mp,.;

.$6?.*6?.

7?.66?.<6?.

.Xs!.9

?.yq!.9

.yq!.

.yq!.X

.yq!.9

.Ao!.

!.yq!.9

!.mv!.9

!.yq!.

.DO!._@!.

7?.LM!.l6?.r6?.x6?.~6?.

.ua!.yq!.9

.Nh!.yq!.j

8?.$6?.*6?.

.Ry!.

.*9?.09?.69?.

!.kz!.

.pG".

.Ka".Am".

.Am".Am".

a".Jm".

.Jm".Jm".

".MH".rH".

`".kO".

4?. 4?.&4?.,4?.24?.84?.>4?.

:?.`9?.'

:?.@8?.66?.

.;?.4;?.

)#.%_#.-^#.

#.LQ#.

".Xg#.

.#.zW#. 7?.

.ZV$.

H$.lV$.uV$.

.vQ$.

Q$.3W$.bW$.yH$.X>

e$.nd$.

@f<?.l<?.r<?.si$.X|$.

.Wm$.}m$.

k$.Rp$.

~$.Yw$.v|$.Iq$.

$.=$=.Mp,.

4?. 4?.&4?.,4?.24?.84?.>4?.&

$.Mp,.

%.tE%.

4?. 4?.&4?.,4?.24?.84?.>4?./

4?. 4?.&4?.,4?.

<?.84?.>4?.

=?.84?.>4?.

$. =?.&=?.

4?.2=?.8=?.

.yc%.t=?.z=?.

&.Mp,.

s&.Ms&.

6?.sE&.

6?.$6?.*6?.

7?.66?.<6?.OH&.B6?.H6?.N6?.

6?.zN&.

5?.B6?.)F&.lF&.

6?.CO&.

f&.rE=.

g&..D=.yD=.">?.4e&..>?.4>?.:>?.@>?.Ds&.;s&.2s&.)s&. s&.

4?. 4?.&4?.,4?.24?.84?.>4?.

q?./q?.v>?.|>?.?q?.Oq?._q?.oq?.

&.op?.

&.p>?.?p?.Op?._p?.

&.|>?.?q?.Oq?._q?.oq?.

o?.,o?.<o?.d>?.j>?.Lo?.\o?.lo?.|o?.

.Qi'.

&.mk'.0

.dv).

'.mk'.

'.Qi'.~

'.mk'.g

o'.Nk

$'.mk'.e,'.

<'.mk'.

.Qi'.yI'.

i'.Jl(./

x'.qv'.

{'.Xz'.

'.av)./

?.mk'./

'.qv'.

.Dl(.

.Jl(.4l(.

,m(.zo(.o

.Mp,..

(.Mp,.

J).c[).tX).

.wW).9

.Q]).eG).

.8^).JH).

.AH).

.jG).jG).sG).

n).<o).Zo).

q).sq).%r).

p).xr).

j).xr).

r).xr).

).hx).kx).

 *.*8*.

K*.BL*.

S*.hl(.

x*.7o*.(x*.8x*.Hx*.Xx*.hx*.xx*.

q*.zp*./_*.AT*.

_*.KT*.UT*.

a*.?b*.ub*.

c*."c*.Kc*.tc*.

c*.Ot*.

d*.Cd*.Yd*.od*.

U*.,U*.FU*.`U*.pU*.

V*.4V*.DV*.

t*.$u*.HW*.XW*.2e*.[e*.

*.Mp,.X>

*.Mp,.

.Mp,.g

 .Local\FullScreenPresentationModeInfo

  .5/ .</ .

P .&P .7P .gX .X>

?.Ok .

u .Ok .

} .Ok ./

?.\} .Ok .

} .Mp,.

} .Ok .

u .Ok .;

 .\} .Ok ..

Q,.PQ,.

. T,.pT,.

n,.Yz,.

.kr,.

b,. b,.;b,.Kb,.[b,.mb,.

?.cd,.sd,.

d,.Uy,.

.vq,.

,.Mp,.X>

,.fq,.

.ye,.

l,.Mp,.X>

l,.Mp,.

m,.Ht,.

.ag,.

.Cm,.

.!h,.1h,.Ah,.

.ah,.

h,.!i,.Gi,.

.gi,.

q,.Mp,.Mj,.X>

m,.]j,.oj,.(

k,.1k,.Wk,.

n,.Dn,.

.Qg,.ag,.og,.Cm,.

.Qm,.

g,.Qh,.

.sh,.

h,.!i,.Gi,.Wi,.

.wi,.

.cm,.sm,.

m,.Mp,.Mj,.X>

m,.]j,.oj,.

m,.gk,.

.ag,.wk,.Cm,.

.Qh,.

k,.Cm,.

-.pV-.

e-.Le-.

w-.Qw-.

4..0S1. ,.._5..0S1.K,.._T..0S1.v,..YU..0S1.

7..~*..48..

2..fmt

2.un..8_..

_..It..

..fw..y

..gy..[

.Mp,.#

K0.pK0.X>

[-.Gy0.

[-.qn0.

).dT1.

" & 0 8 :

5.ca2.

2.EnumSelectionOffsets

.Microsoft (R) PowerPoint (R) Windows

,6.so6.

,6.MG6.

,6.ap6.

17.g07.317.317.

.Mp,.Mp,.r

F7.zI

.nf7.Mp,.r

[email protected].

>.WV9.

>.cv9.

v9.Dw9.

w9.%x9.px9.

y9.Sy9.

[email protected]@.>X9.

9.KY9.v

[9.5\9.{\9.

??.Mp,.K<:.

>:.GV:.

??.gI:.

>.DX;.

>.jL;.

L;.nU;.

-.wK*.

;.)y;.Ry;.l

l;.{l;.tl;.fl;.ml;._l;.Xl;.Ql;.Jl;.Cl;.<l;.5l;..l;.'l;. l;.

k;.Vm;.:m;./n;.

m;.um;.

:.pz;.

;.ch;.nh;.zh;.

;.Wu;.5

/=.=$=.Mp,.

6?.VF=.

=?.VK=.AN=.r6?.x6?.~6?.

D=.rE=.

I=..D=.yD=.">?.(>?..>?.4>?.:>?.@>?.Ds&.;s&.2s&.)s&. s&.

.{B>.yA>.

B>.yA>.

j>.do>.

mso.dll

>.EL@.

>.dY@.

>.uE@.

[email protected]@.PM@.

[email protected]@.

[email protected]@.

>.ce@.

>. [email protected]@.

[email protected]@.

[email protected]@.

.Kn@.

>.ok@.

[email protected]@.

[email protected]@.s

0123456789

DO.tU

t(SSSSh

EO.VW

SSh8R

.hHEO.

.WSSS

SSHHPV

u%Shuc8f

~O.PRPPPPh

~O.VPVVVVh

~O.WWP

.WSWW

WPPSSh

~O.uhV

.PVVVVVVSV

.WVWWV

L.SVW

jO.Xf

u_9=$jO.uW

O.SPSV

u,SSh

L.jdX^

L.hpv

jO.tT

%djO.

%X{O.

%d{O.

t.Shej37

h~O.RQ

~O.VVVVVVVVWV

%d~O.

%X~O.

4444444456444444744

(t.Ht

O.WhQ

O.WWV

O.Wje

O.PWh

~O.VVV

O.WPh

O.WPha

O.WPhn

O.PhY

.Wh`]

M.VW3

tLHtBHt8Ht.Ht$Ht

.WWWV

SSSSh8

Ht.HtO-

FtPWV

L.hh7xej

L.PSVWj

PRSSSSh

tKSSh

O.umV

L.jDW

t%SSSSP

L.SSj

O.tN;

L.hi7xe

t%SSSP

SSSSh

L.WjP

O.SVW

O.uNj0

O.uQj0^VP

h.AVIRP

h.AVI

j.Yf;

SSh`W

uNSSh

u:SSh

u&SSh

t.WSh

udj.Wj

t:Ht.Ht j

CSSh@

N.ud;

L.jXj

t.Shcymy

6M.Pj

~O.VVVVVVh

6M.ShC

t:Ht4Ht4Ht.Ht

@7M.QQ

O.uAV

.PHPV

8MM.Vj

tBHt.Ht

SSSh$

O.Ph0OM.

Vt.HuN

.SSSSj

O.XOM.

tsShllp1

@PSSh

O.tM9]

.WWjHS

OM.uA

O.tBShdhvh

PSSh%

O.uMh

N.tn;

L.jch

L.PhR

.VVVVP

t.Ht Ht

.uTj?Zj

N.um;

N.ueB

!"#$%&'()*'(>>>>

T.SVW

L.SSj

tBHt6Ht.Ht&Ht

Ht.Ht

L.jdX^[

8_.tE

L.Shz1a5

~O.VVP

u.RRRRh

tGSSSSh

SSSh@

L.hyl5f

TjN.HGW

L.Wj<

TjN.SS

O.VQP

~.Whe2g8

TjN.Sj

L.PSSj

L.PVVj

& .8& .[& .

@ .rA .

F .4G .dG .

G .;H .zH .

H .zH .

P .pQ .

Q .jL

T ./U .CU .zU .

V .kW .uW .

W . X .-X .HX .

LjN.hiT .j

L.Ph@

u%SSSS

L.ham5f

#.hXw

Ht>Ht.Ht

L.PSS

u%Shxcy8

.SSSS

.hddd

L.PQj$

9V&.YV&.PV&.tV&.bV&.}V&.9V&.kV&.j

tLHt1Ht.Ht&Ht

S'.<S'.?S'.CS'.HS'.MS'.RS'.WS'.U

Ht9Ht.Ht#Ht

(.QVP

(.RQP

^t.It$It

L.hry1f

[email protected]

[email protected]

.hN|>[email protected]

L.Whtu46

~O.ug

L.Vh|

#s*.2s*.>s*.Ms*.\s*.bs*.qs*.

P.uAj0

NhSSh

P.uFh

t SSh8R

  .,  .@  .

t.Ht HVt

t:Ht.Ht"Ht

Q .cQ .

Q .IQ .

R .IR .3R .rR ._R .}R .

x .Wy .^y .ey .ly .sy .Fy .Py .zy .

P.RQP

eE,.oE,.yE,.

P.RQPj

.hkc3c

.Phouh3

L.jQ[

T.VVVVP

uNSShPZ

u:SSh\Z

u&SShhZ

L.ho8xe

L.hj7xe

I..hI..:J..

F..'F..aF..

J..pL..

8^.tS

L.hz7xe

u%Shump8

/.Shrxg5

.WWh$

B/.mC/.

D/."D/.4D/.DD/.VD/.

D/.QF/.

R/.OS/.

U/.qT/.

W/.lW/.|X/.=Y/.

i/.Hq/.

r/.es/.mw/.}

/.mP/.wP/.

t.Shpxg5

tcPS

L.hl7xej

L.hm7xej

L.hr7xej

L.hs7xe

L.ht7xej

L.hu7xe

L.hv7xej

L.hy7xeV

L.hn7xej

L.ho7xe

L.hp7xej

L.hw7xeS

L.hx7xe

btUHt<Ht.Ht Ht

MSGRu

Wh.LNKRP

N.tt;

N.td;

N.tT;

N.tD;

N.tb;

N.tR;

N.tB;

G0tcPV

tQSSh

t:SSh|

L.PSj

L.h1exe

[email protected]

[email protected]

kI3.wJ3.wJ3.

J3.6J3.jJ3.

I3.wJ3.

L.h9exeW

h6exeP

L.h7exeS

h8exeS

FdSSh

.SSSSSSS

.twHtEH

f92u.GBB;

L.VVh

?5.Sj Sjl

(.Sj Sj

h5exe

L.h3exe

L.h2exe

L.h4exe

h0exeP

.SPSj

Ht.Ht&Ht

L.hk9xeW

L.hb9xeP

L.he9xeP

L.hf9xeP

.hm9xeP

L.hp9xeP

L.hq9xeP

|6M.WV

E7.zE7.~E7.

E7.\E7.ME7.\E7.vE7.rE7.jE7.nE7.U

`7.3`7.?`7.la7.K`7.i_7.W`7.3a7.j

g8.ah8.uh8.

k8.'k8.Nk8.bk8.vk8.

u.VVh

.WPWj

.VWSh

.VWShd)

5(1M.jVR

L.QQQP

t?Ht6Ht.Ht&Ht

Tt.Ht

j.Xf;

j.SVW

L.hak5f

@O.sZ

tCPS

%XHT.

PSSh4c

PhpHT.SS

|HT.xHT.f

HT.SQ

LT.tM

LT.tAV

LT.QS

LMT.YYS

LT.SS

MT.YY

.Sj'h,

.FB."

.zB."

)%C."

Ü."

.pC.&

;%D."

n%D."

pptview.exe

MSO.dll

OLEAUT32.dll

SHLWAPI.dll

AVIFIL32.dll

WINMM.dll

t2embed.dll

gfx.dll

SHELL32.dll

oart.dll

ole32.dll

ADVAPI32.dll

USER32.dll

GDI32.dll

KERNEL32.dll

MSVCR90.dll

_crt_debugger_hook

_acmdln

_amsg_exit

SetThreadExecutionState

GetProcessHeap

GetViewportOrgEx

SetViewportOrgEx

GetKeyboardLayout

GetAsyncKeyState

CreateDialogIndirectParamW

EnumWindows

ActivateKeyboardLayout

GetKeyboardLayoutList

GetKeyState

RegCloseKey

RegOpenKeyExW

RegCreateKeyExW

RegEnumKeyExW

ReportEventW

RegOpenKeyExA

ShellExecuteW

t:\ppt\x86\ship\0\pptview.pdb

6\ship\0\pptview.exe\bbtopt\pptviewO.pdb

x?. A?.CA?.JA?.QA?.XA?._A?.>2

B?.-B?.=B?.MB?.

C?.-C?.=C?.MC?.]C?.mC?.}C?.

D?.-D?.=D?.GD?.QD?.[D?.Z_

9oD?.yD?.

93E?.CE?.SE?.cE?.

F?.'F?.1F?.;F?.EF?.OF?.YF?.cF?.mF?.wF?.

9CG?.MG?.WG?.aG?.kG?.

9GH?.QH?.[H?.eH?.oH?.yH?.

I?.#I?.-I?.7I?.AI?.KI?.UI?._I?.

J?.'J?.1J?.;J?.EJ?.OJ?.

K?.!K?. K?.5K?.?K?.IK?.

9%L?./L?.9L?.CL?.ML?.

9aL?.kL?.uL?.

M?.)M?.3M?.=M?.GM?.QM?.[M?.eM?.oM?.yM?.

N?.#N?.-N?.7N?.AN?.KN?.UN?._N?.iN?.sN?.}N?.

O?.%O?./O?.9O?.CO?.MO?.WO?.aO?.kO?.uO?.

O?.Hq

P?.)P?.3P?.=P?.GP?.QP?.[P?.eP?.oP?.yP?.

Q?.#Q?.-Q?.7Q?.AQ?.KQ?.UQ?._Q?.iQ?.sQ?.}Q?.

R?.'R?.1R?.;R?.ER?.OR?.YR?.

9mR?.wR?.

$9MT?.WT?.

#9kT?.uT?.

9QU?.[U?.eU?.oU?.yU?.

V?.#V?.-V?.7V?.AV?.KV?.UV?._V?.iV?.sV?.}V?.

P#9EW?.OW?.YW?.cW?.mW?.wW?.

9!X?. X?.5X?.?X?.IX?.SX?.

9gX?.qX?.{X?.

Y?.%Y?./Y?.9Y?.CY?.MY?.

9kY?.uY?.

[?.eQ

\?.Bi

9O^?.Wp

a?."a?.,a?.6a?.@a?.Ja?.Ta?.^a?.ha?.ra?.|a?.

9&b?.0b?.:b?.Db?.Nb?.Xb?.bb?.lb?.vb?.

9Dc?.Nc?.Xc?.bc?.lc?.vc?.

9\d?.fd?.pd?.*

e?.&e?.6e?.Fe?.1

9Ze?.de?.ne?.

f?.$f?..f?.8f?.Bf?.Lf?.Vf?.`f?.jf?.

g?.(g?.2g?.<g?.Lg?.Vg?.`g?.jg?.tg?.~g?.

h?.(h?.2h?.<h?.Fh?.Ph?.Zh?.dh?.nh?.xh?.

9Ji?.Ti?.["

9hi?.ri?.|i?.

9Dj?.Nj?.Xj?.bj?.lj?.vj?.

k?.(k?.2k?.<k?.Fk?.Pk?.Zk?.dk?.nk?.xk?.

l?."l?.,l?.6l?.@l?.Jl?.Tl?.^l?.hl?.rl?.|l?.

9&m?.0m?.:m?.Dm?.Nm?.Xm?.bm?.lm?.vm?.

n?. n?.*n?.4n?.>n?.Hn?.Rn?.\n?.fn?.oX

9"o?.2o?.Bo?.Ro?.

9Ep?.Up?.

q?.Wb

9%q?.5q?.Eq?.Uq?.eq?.uq?.

r?.'r?.1r?.;r?.Er?.Or?.Yr?.cr?.mr?.wr?.

s?.RH

9]s?.gs?.qs?.{s?.

9kt?.ut?.

u?.)u?.3u?.=u?.Gu?.Qu?.[u?.eu?.ou?.yu?.

v?.)v?.3v?.=v?.Gv?.

9[v?.ev?.ov?.yv?.

w?.#w?.-w?.7w?.Aw?.Kw?.Uw?._w?.iw?.^

w?.XE'9

x?.'x?.1x?.;x?.Ex?.Ox?.D

~?.ON

.PBVDrawingCommandActionParams@@

.PBVDrawingRepeatActionParams@@

.PBVMoreChoiceActionParams@@

.PBVDrawingActionState@@

.PBVSlideShowContextMenuActionParams@@

.PBVSlideShowActionParams@@

.PBVSlideShowDlgActionParams@@

.PBVRecordSlideShowDlgActionParams@@

.PBVTransitionActionParams@@

.PBVInteractiveSettingsActionParams@@

.PBVActionParams@@

.PBVActionState@@

.PBVWFrame@@

.PBVWWindowBase@@

.PBVWArea@@

.PBVWAtomicArea@@

.PBVWSplitArea@@

.PBVWSplitterWindow@@

.PBVWWindoid@@

.PBVWDocWindow@@

.PBVWScreenWindow@@

.PBVWPane@@

.PBVDocWinBase@@

.PBVDocWin@@

.PBVNormalViewSetInfo@@

.PBVSplitterDocWin@@

.PBVDlgUIContext@@

.PBVSDIDocWin@@

.PBVPPSDIWin@@

.PBVPPSDIUIContext@@

.PBVEventInfo@AudioVideo@@

.PBVOptimizeTask@AudioVideo@@

.PBVVideoExportSG@AudioVideo@@

.PBVVideoPlayback@AudioVideo@@

.PBVPlaybackBase@AudioVideo@@

.PBVSinkHandlerPlayback@AudioVideo@@

.PBVVideoPlaybackSG@AudioVideo@@

.PBVVideoSGSink@AudioVideo@@

.PBVAudioPlaybackSink@AudioVideo@@

.PBVFrameEventInfo@AudioVideo@@

.PBVVideoPlaybackVMR9@AudioVideo@@

.PBVCBackgroundTaskBase@@

.Kn%.Kn%.

.PBVStgRBuilder@@

.PBVTagInfoRBuilder@@

.PBVSlideLayoutRBuilder@@

.PBVSSSlideInfoRBuilder@@

.PBVHeadersFootersRBuilder@@

.PBVHeaderFooterDefaultsRBuilder@@

.PBVDocHeadersFootersInfoRBuilder@@

.PBVSlideSyncInfoRBuilder@@

.PBVSchemeListRBuilder@@

.PBVCObjectPersistRBuilder@@

.PBVPersistProxyRBuilder@@

.PBVSlideBasePersistProxyRBuilder@@

.PBVSlidePersistProxyRBuilder@@

.PBVNotesPersistProxyRBuilder@@

.PBVMasterPersistProxyRBuilder@@

.PBVMainMasterPersistProxyRBuilder@@

.PBVContentMasterPersistProxyRBuilder@@

.PBVNotesMasterPersistProxyRBuilder@@

.PBVHandoutPersistProxyRBuilder@@

.PBVSlideBaseListRBuilder@@

.PBVSlideBaseRBuilder@@

.PBVSlideRBuilder@@

.PBVEventRecordCollectionRBuilder@@

.PBVNotesRBuilder@@

.PBVHandoutRBuilder@@

.PBVMasterRBuilder@@

.PBVMainMasterRBuilder@@

.PBVContentMasterRBuilder@@

.PBVDocBackgroundShapeRBuilder@@

.PBVNamedShowRBuilder@@

.PBVSSNamedShowsRBuilder@@

.PBVShapeTimingInfoRBuilder@@

.PBVSlideTimingInfoRBuilder@@

.PBVAnimationInfoRBuilder@@

.PBVInteractiveInfoRBuilder@@

.PBVPlaceholderRBuilder@@

.PBVShapeBaseRBuilder@@

.PBVBookmarkRBuilder@@

.PBVBookmarkCollectionRBuilder@@

.PBVDocGridInfoRBuilder@@

.PBVCommentAuthorRBuilder@@

.PBVCommentAuthorsCollectionRBuilder@@

.PBVSummaryInfoRBuilder@@

.PBVViewInfoRBuilder@@

.PBVNotesTextViewInfoRBuilder@@

.PBVOutlineViewInfoRBuilder@@

.PBVSorterViewInfoRBuilder@@

.PBVVBAInfoRBuilder@@

.PBVSlideViewBaseInfoRBuilder@@

.PBVNormalViewSetInfoRBuilder@@

.PBVNormalViewSetDataRBuilder@@

.PBVNotesViewBaseInfoRBuilder@@

.PBVDocSlideSizeInfoRBuilder@@

.PBVHTMLDocInfoRBuilder@@

.PBVHTMLPublishInfoRBuilder@@

.PBVExternalObjectRBuilder@@

.PBVExHyperlinkRBuilder@@

.PBVHyperlinkRBuilder@@

.PBVExMediaRBuilder@@

.PBVExVideoRBuilder@@

.PBVExMovieRBuilder@@

.PBVExAVIMovieRBuilder@@

.PBVExQuickTimeMovieRBuilder@@

.PBVExAudioRBuilder@@

.PBVExMIDIAudioRBuilder@@

.PBVExCDAudioRBuilder@@

.PBVExWAVAudioLinkRBuilder@@

.PBVExWAVAudioEmbeddedRBuilder@@

.PBVExMediaFileRBuilder@@

.PBVExMedia14RBuilder@@

.PBVExObjListRBuilder@@

.PBVExOleObjRBuilder@@

.PBVExOleEmbedRBuilder@@

.PBVExOleLinkRBuilder@@

.PBVExControlRBuilder@@

.PBVDocEncryptionInfoRBuilder@@

.PBVPhotoAlbumInfoRBuilder@@

.PBVPrJobSavedOptionsRBuilder@@

.PBVPrintInfoRBuilder@@

.PBVShowInfoRBuilder@Show@@

.PBVSectionCollectionRBuilder@@

.PBVDocTextInfoRBuilder@@

.PBVDocumentRBuilder@@

.PBVELEventFrame@@

.PBVPPTBColorMenuActionState@@

.PBVComment@@

.PBVWDialogPane@@

.PBVDLPaneDialog@@

.PBVDLPaneDialogUser@@

.PBVMergeNode@@

.PBVSlideMergeDescendantBase@@

.PBVShapeMergeDescendantBase@@

.PBVReviewerBase@@

.PBVPropMergeBase@@

.PBVShapeMerge@@

.PBVDocPropGroup@@

.PBVSlidePropGroup@@

.PBVDocPropMerge@@

.PBVDocReviewer@@

.PBVSlideListMerge@@

.PBVSlideMerge@@

.PBVSlideModGroup@@

.PBVSlidePropMergeBase@@

.PBVSlidePropMerge@@

.PBVShapePropMergeBase@@

.PBVShapePropMerge@@

.PBVSlidePropReviewer@@

.PBVShapeReviewer@@

.PBVSlideSpecialPropMerge@@

.PBVShapeSpecialPropMerge@@

.PBVShapeListMerge@@

.PBVShapeModGroup@@

.PBVShapePropGroup@@

.PBVTxRevMerge@@

.PBVTxReviewer@@

.PBVTxMergeBase@@

.PBVTxMerge@@

.PBVNotesTxMerge@@

.PBVSlideNewPosReviewer@@

.PBVSlideNewPosMerge@@

.PBVSlideNewPosGroup@@

.PBVSlidePosShareListMerge@@

.PBVSlidePosShareMerge@@

.PBVSlidePosShareRevGroup@@

.PBVDLDialogBase@@

.PBVDLForeignDialogHelper@@

.PBVDLDialog@@

.PBVDLDialogUser@@

.PBVDLWorkPaneDialogUser@@

.PBVDLControl@@

.PBVDLStaticString@@

.PBVDLLabelBox@@

.PBVDLEditString@@

.PBVDLStaticPopup@@

.PBVDLEditPopup@@

.PBVDLPushButton@@

.PBVDLUserButton@@

.PBVDLBitmapButton@@

.PBVDLWorkPaneButton@@

.PBVDLRadioCluster@@

.PBVDLStateButton@@

.PBVDLRadioButton@@

.PBVDLCheckBox@@

.PBVDLScrollBar@@

.PBVDLTrackBar@@

.PBVDLTextListBox@@

.PBVDLUserControl@@

.PBVDLIcon@@

.PBVDLPicture@@

.PBVDLSpinner@@

.PBVDLNumberInput@@

.PBVDLTabControl@@

.PBVDLTreeView@@

.PBVDLListView@@

.PBVDLProgressBar@@

.PBVDLTabSheet@@

.PBVDocument@@

.PBVBaseDiffList@@

.PBVDiffList@@

.PBVDocDiff@@

.PBVSSNamedShowsDiffList@@

.PBVNamedShowDiff@@

.PBVSlideBaseDiff@@

.PBVSlideDiff@@

.PBVSlideDiffList@@

.PBVShapeDiffList@@

.PBVShapeDiff@@

.PBVOArtShapeDiff@@

.PBVSlideShowDiff@@

.PBVRecolorInfoDiff@@

.PBVInteractiveInfoDiff@@

.PBVExternalObjectDiff@@

.PBVIndexInfo@@

.PBVSlideIndexInfo@@

.PBVShapeIndexInfo@@

.PBVNamedShowIndexInfo@@

.PBVDateTimeMetaChar@@

.PBURTFDateTimeLink@@

.PBVRTFDateTimeMetaChar@@

.PBVSlideNumberMetaChar@@

.PBVFooterMetaChar@@

.PBVHeaderMetaChar@@

.PBVGenericDateMetaChar@@

.PBVDocInfoListItem@@

.PBVDocViewInfo@@

.PBVColorModeInfo@@

.PBVDocView@@

.PBVSlideContentEditor@@

.PBVEditorView@@

.PBVExMedia@@

.PBVExVideo@@

.PBVExAudio@@

.PBVExMedia14@@

.PBVExWAVAudioLink@@

.PBVExWAVAudioEmbedded@@

.PBVExQuickTimeMovie@@

.PBVExAVIMovie@@

.PBVExMovie@@

.PBVExMIDIAudio@@

.PBVExCDAudio@@

.PBVCEventHookDeletedException@@

.PBVExternalObject@@

.PBVExHyperlink@@

.PBVExOleObj@@

.PBVExOleEmbed@@

.PBVExOleLink@@

.PBVExControl@@

.PBVMarkerTracker@@

.PBVODPSaveDocContent@@

.PBVOEEditor@@

.PBVInPlaceEditor@@

.PBVEscherShape@@

.PBVOEShapeTable@@

.PBVOETxFrame@@

.PBVTBBtnActionParams@@

.PBVTBDropdownActionParams@@

.PBVTBDropdownActionState@@

.PBVTBOCXDropdownActionParams@@

.PBVTBExpandingGridActionParams@@

.PBVTBExpandingGridActionState@@

.PBVTBSwatchActionParams@@

.PBVTBSwatchActionState@@

.PBVOLEUIContext@@

.PBVOLEWindoid@@

.PBVOLEHatchWin@@

.?AVCMsgException@@

.PBVSaveDocContent@@

.PBVCMultipleMasterException@@

.PBVCMultipleLayoutException@@

.PBVCFileDlgException@@

.PBVCPrintException@@

.PBVCVBEException@@

.PBVCUIContextException@@

.PBVCAbortException@Ofc@@

.PBVCBgAbortException@@

.PBVDownRevSaveDocContent@@

.PBVPrintPreviewView@@

.PBVTag@@

.PBVStringTag@@

.PBVBinaryTag@@

.PBVLayoutParams@@

.PBVWControlPane@@

.PBVWScrollBarPane@@

.PBVSectionsDiffList@@

.PBVSectionDiff@@

.PBVSectionIndexInfo@@

.PBVServerDocInfo@@

.PBVROTRegistrationInfo@@

.PBVShapeBase@@

.PBVSlideEditor@@

.PBVSlideBase@@

.PBVNotes@@

.PBVSlide@@

.PBVHandout@@

.PBVMaster@@

.PBVContentMaster@@

.PBVMainMaster@@

.PBVMiniatureCache@@

.PBVNamedShow@@

.PBVSSSlideInfo@@

.PBVInteractiveInfo@@

.PBVThemeIndexInfo@@

.PBVThemeDiff@@

.PBVThemeDiffList@@

.PBVThemeListMerge@@

.PBVThemeMerge@@

.PBVThemeReviewer@@

.PBVViewTracker@@

.PBVSlideTracker@@

.PBVUndoRedo@@

.PBVCTxFrameObjectSafe@@

.PBVCTxFrame@@

.PBVCTxFrameObserver@@

.PBVOutlineViewInfo@@

.PBVCOutlineText@@

.PBVNotesTextViewInfo@@

.PBVCTxEditor@@

.PBVAdjustIndentInfoCommand@Art@@

.PBVAlignInfoCommand@Art@@

.PBVTextAllowMathContentInfoCommand@Art@@

.PBVAnimationChangeEvent@Art@@

.PBVBackgroundFillCommandState@Art@@

.PBVBackgroundFillInfoCommand@Art@@

.PBVBaseTextEditor@Art@@

.PBVBgStylesGalleryApplyInfoCommand@Art@@

.PBVBgStylesGalleryUpdateInfoCommand@Art@@

.PBVBlipFillPropsSelectionInfo@Art@@

.PBVClearInfoCommand@Art@@

.PBVColorMappingChangedEvent@Art@@

.PBVColorSchemeChangedEvent@Art@@

.PBVColorSchemeOverrideMapping@Art@@

.PBVCompressPicturesInfoCommand@Art@@

.PBVConvertShapesToIgxInfoCommand@Art@@

.PBVConvertIgxToShapesInfoCommand@Art@@

.PBVConvertTextToIgxInfoCommand@Art@@

.PBVConvertIgxToTextInfoCommand@Art@@

.PBVConvertToGroupInfoCommand@Art@@

.PBVCopyInfoCommand@Art@@

.PBVChangePictureInfoCommand@Art@@

.PBVCropPictureInfoCommand@Art@@

.PBVCutInfoCommand@Art@@

.PBVDeleteTableInfoCmd@Art@@

.PBVDeleteTableColumnInfoCmd@Art@@

.PBVDeleteTableRowInfoCmd@Art@@

.PBVDisassembleInfoCommand@Art@@

.PBVDistributeInfoCommand@Art@@

.PBVDocumentPathInfo@Art@@

.PBVDropTextInfoCommand@Art@@

.PBVDuplicateInfoCommand@Art@@

.PBVFillE2oFormattingCommand@Art@@

.PBVFillInfoCommand@Art@@

.PBVFontSchemeChangedEvent@Art@@

.PBVGeometryCommand@Art@@

.PBVGroupInfoCommand@Art@@

.PBVHostParentWindowInfo@Art@@

.PBUIAnimatableShapePart@Art@@

.PBUIAnimatableTextPart@Art@@

.PBVInsertPictureInfoCommand@Art@@

.PBVLineCommand@Art@@

.PBVLineE2oFormattingCommand@Art@@

.PBVLivePreviewInfo@Art@@

.PBVOSSLoadedEvent@Art@@

.PBVOSSOverrideTheme@Art@@

.PBVOSSTheme@Art@@

.PBVPasteInfoCommand@Art@@

.PBVPasteSpecialInfoCommand@Art@@

.PBVRegroupInfoCommand@Art@@

.PBVResetBackgroundInfoCommand@Art@@

.PBVResetColorSchemeInfoCommand@Art@@

.PBVSelectAllInfoCommand@Art@@

.PBVSelectionPaneHostingInfo@Art@@

.PBVSelectionPaneShapeTreeInfo@Art@@

.PBVSetDefaultsFromShapeStylesInfoCommand@Art@@

.PBVSetShapeDefaultsInfoCommand@Art@@

.PBVShapeStyleCommand@Art@@

.PBVStyleInfo@Art@@

.PBVStyleMatrixChangedEvent@Art@@

.PBVTableClientInfo@Art@@

.PBVTableStyleManagerInfo@Art@@

.PBVTableTextListStyleInfo@Art@@

.PBVTextBodyPropertyBagInfoCommand@Art@@

.PBVTextCommand@Art@@

.PBVTextMoveParagraphInfoCommand@Art@@

.PBVTextTypingCommand@Art@@

.PBVTextViewElement@Art@@

.PBVThemeInfo@Art@@

.PBVTrustPolicyInfo@Art@@

.PBV?$TSchemeGalleryApplyInfoCommand@VColorSchemeAndMapping@Art@@@Art@@

.PBV?$TSchemeGalleryApplyInfoCommand@VFontScheme@Art@@@Art@@

.PBV?$TSchemeGalleryApplyInfoCommand@VStyleMatrix@Art@@@Art@@

.PBV?$TSchemeGalleryUpdateInfoCommand@VColorSchemeAndMapping@Art@@@Art@@

.PBV?$TSchemeGalleryUpdateInfoCommand@VFontScheme@Art@@@Art@@

.PBV?$TSchemeGalleryUpdateInfoCommand@VStyleMatrix@Art@@@Art@@

.PBVUngroupInfoCommand@Art@@

.PBVUpgradeToIgxInfoCommand@Art@@

.PBVWordArtClearInfoCommand@Art@@

.PBVWordArtIntenseInfoCommand@Art@@

.PBVWordArtNormalInfoCommand@Art@@

.PBVApplyShapeAndTextFormatInfoCommand@Art@@

.PBVFillCommand@Art@@

.PBVApplyTextFramePropertyBagsCommand@Dr@@

.PBVBaseShapeDrawingElement@Dr@@

.PBVChangeAllVisibilityCommand@Dr@@

.PBVChangePictureCommand@Dr@@

.PBVChangeVisibilityCommand@Dr@@

.PBVConnectorDrawingElement@Dr@@

.PBVDrawingElement@Dr@@

.PBVDrawingTextFrame@Dr@@

.PBVE2oFrameDrawingElement@Dr@@

.PBVFlipCommand@Dr@@

.PBVOrderCommand@Dr@@

.PBVGroupCommand@Dr@@

.PBVGroupDrawingElement@Dr@@

.PBVInsertE2oCommand@Dr@@

.PBVInsertShapeInfoCommand@Dr@@

.PBVInkDrawingElement@Dr@@

.PBVInsertInkInfoCommand@Dr@@

.PBVInsertPictureInfoCommand@Dr@@

.PBVInsertTextBodyInfoCommand@Dr@@

.PBVInsertTextboxInfoCommand@Dr@@

.PBVPictureDrawingElement@Dr@@

.PBVDrawingPictureViewElement@Dr@@

.PBVResetPictureCommand@Dr@@

.PBVRotateCommand@Dr@@

.PBVShapeDrawingElement@Dr@@

.PBVDrawingShapeViewElement@Dr@@

.PBVUngroupCommand@Dr@@

.PBVUIContext@@

.PBVUpdSchemeInfo@@

.PBVTemplateInfoBase@UXGal@@

.PBVFileTemplateInfo@UXGal@@

.PBVMasterTemplateInfo@UXGal@@

.PBVBlankTemplateInfo@UXGal@@

.PBVViewScrollBarPane@@

.PBVView@@

.PBVViewPane@@

.PBVOArtRepeatActionParams@@

.PBVAnimPainterEditor@@

.PBVOArtShapeRBuilder@@

.PBVOleE2oRBuilder@@

.PBVE2oHostingView@@

.PBVE2oHostingViewArtViewHost@@

N.PCN.

&N.xCN.X

N.HDN.

&N.PDN.

&N.XDN.0

1N.hDN.

N.xDN.

0N.pDN.0

&N.HEN.0

&N.XEN.0

&N.HFN.0

&N.XFN.0

&N.hFN.0

&N.xFN.0

N.HGN.P

N.XGN.P

N.hGN.P

N.xGN.P

N.HHN.P

N.XHN.P

N.hHN.P

N.xHN.P

N.pJN.

N.PKN.

N.XKN.

N.hKN.

N.pKN.

1N.pLN.p1N.xLN.X1N.

!N.HMN.

N.XMN.

!N.pMN.

!N.PNN.

!N.hNN.

N.xNN.

!N.PON.

!N.pON.

'N.XPN.

'N.hPN.

'N.xPN.

H)N.PQN.

H)N.pQN.

80N.XSN.

[email protected].

HCN.XCN.

`CN.hCN.

DN. DN.([email protected].

[email protected].`EN.hEN.pEN.xEN.

FN. [email protected].`FN.pFN.

GN. [email protected].`GN.pGN.

HN. [email protected].`HN.pHN.

IN. IN.([email protected].`IN.hIN.pIN.xIN.

XJN.hJN.xJN.

KN.0KN.HKN.`KN.xKN.

MN. MN.8MN.PMN.hMN.xMN.

NN.0NN.HNN.XNN.pNN.

ON.(ON.8ON.HON.XON.hON.xON.

HPN.PPN.`PN.pPN.

QN. QN.0QN.8QN.HQN.XQN.hQN.xQN.

[email protected].

hRN.xRN.

PJN.XJN.hJN.xJN.

P.phN.

.PBVMediaViewElement@@

.PBVMediaCtrlEditor@@

.PBVSSMediaCtrlEditor@@

.PBVMediaCtrlViewElement@@

.PBVMediaActionCtrlViewElement@@

.PBVMediaCtrlBackgroundViewElement@@

.PBVMediaVolumeCtrlViewElement@@

.PBVMediaVolumeCtrlBackgroundViewElement@@

.PBVMediaPlayCtrlViewElement@@

.PBVMediaStopCtrlViewElement@@

.PBVMediaMuteCtrlViewElement@@

.PBVMediaCursorCtrlViewElement@@

.PBVMediaContrailCtrlViewElement@@

.PBVMediaStatusDisplayViewElement@@

.PBVMediaTimeDisplayViewElement@@

.PBVMediaStateDisplayViewElement@@

.PBVMediaPrevNextCtrlViewElement@@

.PBVMediaNudgeCtrlViewElement@@

.PBVMediaVolumeSliderCtrlViewElement@@

.PBVMediaStatusTextViewElement@@

.PBVMediaBookmarkCtrlViewElement@@

.PBVMediaTimelineCtrlViewElement@@

.PBVMediaBookmarksCtrlViewElement@@

.PBVMediaCtrlGroupViewElement@@

.PBVMediaSubGroupCtrlViewElement@@

.PBVMediaCursorTimeDisplayViewElement@@

.PBVMediaVolumeBarCtrlViewElement@@

1!.Kn%.Kn%.

2!.Kn%.Kn%.

!.Kn%.Kn%.

.6q9.6q9.PwN.

.PBVIsNotesInfo@@

.PBVNotesStoredTextSelection@@

.PBVNotesTextEditor@@

.PBVNotesViewElement@@

.PBVNotesTextViewElement@@

.PBVOArtShape@@

.PBVOArtClientDataCT@@

Q".Kn%.Kn%.K

.PBVTextReplaceCommand@@

.PBVAutoBulletCommand@@

".Kn%.Kn%.K

.dyN.

.PBVLegacyChartAnimatablePart@@

.PBVLegacyChartFilterCriteria@@

.PBVLegacyChartViewElementSplitCriteria@@

.PBVLegacyChartViewElement@@

.PBVOleE2oEditor@@

#.Kn%.Kn%.

.PBVIsOutlineInfo@@

.PBVOutlineTextEditor@@

.PBVOutlineIndentCommand@@

.PBVOutlineMoveParagraphCommand@@

.PBVOutlineCutCopyCommand@@

.PBVOutlineViewElement@@

.PBVOutlineTextViewElement@@

.PBVOutlineSlideIconViewElement@@

.PBVOutlinePlaceholderIconViewElement@@

.PBVOutlineStoredTextSelection@@

.Kn%.Kn%.K

.PBVOArtDrawingCT@@

.PBVSlideE2oCT@@

.PBVRegroupCommand@@

.PBVSelectAllCommand@@

.PBVSlideTextCutCopyCommand@@

.PBVSlideE2oPasteCommand@@

.PBVSlideFillCommand@@

.PBVSlideE2oEditor@@

.PBVStoredSlideE2oEditorSelection@@

En%.X>

.PBVPPTOArtViewHost@@

.PBVOArtViewHost@@

.PBVPlaceholderButtonViewElement@@

.PBVSlideRootViewElementCT@@

.PBVSlideThumbViewElement@@

.PBVPlaceholderMiddleViewElement@@

.PBVPlaceholderExtrasViewElement@@

.PBVActiveXViewElement@@

.PBVNotesClipTextViewElement@@

.PBVSlideGroupViewElementCT@@

.PBVSlideTextEditor@@

.PBVStoredTextSelection@@

&.Kn%.Kn%.K

.PBUIOLEActivation@Show@@

.PBVOLEObjectActivation@Show@@

.PBVOLEBranchedShowActivation@Show@@

.PBVPodiumSSManager@@

.PBVPodiumWindow@@

.PBVPodiumDocWin@@

.PBVPodiumUIContext@@

.PBVPodiumNotesView@@

.PBVPodiumSlideShowInfoPaneDialogUser@@

.PBVPodiumSlideShowView@@

.PBVPodiumThumbnailView@@

.PBVPodiumViewBase@@

.PBVOArtViewHost@Show@@

.PBVSlideShowManager@Show@@

.PBVSlideShowView@Show@@

.PBVSlideShowViewImpl@Show@@

.PBVSSUIContext@@

.PBVSSDocWin@@

.PBVSSScreenWin@@

.PBVExternalLink@@

.PBVUpgradeDocumentParams@@

.PBVVBAInfo@@

.PBVSorterView@@

.PBVSorterViewInfo@@

.PBVNotesViewBaseInfo@@

.PBVSlideView@@

.PBVNotesView@@

.PBVHandoutView@@

.PBVSlideViewBase@@

.PBVSlideListView@@

.PBVSlideViewBaseInfo@@

.PBVNotesMasterView@@

.PBVPPHTMLStorage@@

.PBVNewDocFromTemplateActionParams@@

.PBVPreviewAnimationActionParams@@

.PBVChangeEffectColorParams@@

.PBVChangeBuildParams@@

.PBVAddChangeEffectParams@@

.PBVApplyEffectInfoParams@@

.PBVApplyTemplateActionParams@@

.PBVMacroActionParams@@

.PBVReorderEffectParams@@

.PBVFileSpecActionParams@@

.PBVSourceControlParams@@

.PBVPasteSpecialActionParams@@

.PBVCObjectSafe@@

.PBVCCauseAndStringException@@

.PBVCCauseException@@

.PBVCUserAbortException@@

.PBVCTimeoutAbortException@@

.PBVCOleDflException@@

.PBVCMsgException@@

.PBVCOLEException@@

.PBVCOfficeException@@

.PBVCServerErrorException@@

.PBVCLibraryException@@

.PBVRefCountedObject@@

.PBVTLTimeBehavior@@

.PBVTLTimeMedia@@

.PBVTLTimeAnimateBehavior@@

.PBVTLTimeAnimateMotionBehavior@@

.PBVTLTimeAnimateColorBehavior@@

.PBVTLTimeAnimateEffectBehavior@@

.PBVTLTimeAnimateScaleBehavior@@

.PBVTLTimeAnimateRotationBehavior@@

.PBVTLTimeSetBehavior@@

.PBVTLTimeCommandBehavior@@

.PBUITimeVisualElement@@

.PBVTimeShapeReference@@

.PBVTimePageReference@@

'/."'/.7

7.Kn%.Kn%.

.. '/.?'/.7

0.Kn%.Kn%.

.MIDI

.PPTX

.PPTM

.POTX

.POTM

.PPSX

.PPSM

.PPAM

.THMX

.PBVCGenericReadException@@

.PBVCFileException@Ofc@@

.PBVCTxCFRunEntry@@

.PBVCTxCFStyle@@

.PBVCTxCFBaseStyle@@

.PBVCTxCFDerivedStyle@@

.PBVCTxCFExceptionEntry@@

.PBVCTxPFRunEntry@@

.PBVCTxPFStyle@@

.PBVCTxPFBaseStyle@@

.PBVCTxPFDerivedStyle@@

.PBVCTxPFExceptionEntry@@

.PBVInteractiveInfoBase@@

.PBVCTxMetaCharRunLink@@

.PBVCTxMetaChar@@

.PBVCText@@

.PBVCTextRunList@@

.PBVCTxSpecialInfoRunLink@@

.PBVCCharText@@

.PBVCStyleText@@

.PBVCMasterText@@

.PBVCTxPFRulerStyle@@

.PBVCTxCFRulerStyle@@

.PBVPPStorage@@

.PBVMediaBlobSaveManagerWriterParam@@

.PBVMetroReaderParam@Art@@

.aE3.

.PBVCTxObject@@

.PBVCTxRefcountedObject@@

.PBVCTxListLink@@

.PBVCTxList@@

.PBVCTxObsObject@@

.PBVCTxObsNote@@

.PBVCTxChangeNote@@

.PBVCObjectPersist@@

.PBVDateTimeResolver@@

.PBVMediaEventRecord@@

.PBVTriggerEventRecord@@

.PBVEventRecord@@

.PBVCRunLink@@

.PBVCRunEntry@@

.PBVCRefRunLink@@

.PBVCRunList@@

.PBVCEmptyRunLink@@

.PBVSlideE2oFilter@@

.PBVDrawingE2oShapeFilter@@

.PBVPPIStgStorage@@

.PBVPPFileStorage@@

.PBVPPOLEStorage@@

.PBVPPTReader@@

.PBVPPTOEShapeReader@@

.PBVOdpStorage@@

.PBVOdpStorageOle@@

~7.)~7.7

9.<o7.<o7.%!7.Po7.bo7.7

7.so7.7

7.Kn%.Kn%.K

7./"7./"7.

7.Bq7.7

7.Kq7.7

7.Tq7.7

7.fq7.7

7.oq7.7

7.xq7.7

&7.Ft7.Xt7.7

&7.Po7.bo7.7

&7.it7.}t7.7

8.qA8.

7.Kn%.Kn%.6q9.6q9.7

7.Kn%.Kn%.6q9.6q9.C

.PBVXmlStorage@@

.PBVXmlStorageForDRS@@

.PBVXmlStorageOle@@

.PBVXmlStorageClipboard@@

.PBVXmlStorageIStream@@

/;.Kn%.Kn%.

.PBVXmlRepairDataBase@@

.PBVXmlRepairData@@

.PBVXmlReader@@

.PBVPPReaderParam@XmlReader@@

.PBVCObjectPersistXmlReader@@

.PBVSlideSyncInfoXmlReader@@

.PBVExternalObjectXmlReader@@

.PBVExMediaXmlReader@@

.PBVExAudioXmlReader@@

.PBVExCDAudioXmlReader@@

.PBVExOleObjXmlReader@@

.PBVExOleEmbedXmlReader@@

.PBVExOleLinkXmlReader@@

.PBVExControlXmlReader@@

.PBVInteractiveInfoXmlReader@@

.PBVSlideBaseXmlReader@@

.PBVSlideXmlReader@@

.PBVMasterXmlReader@@

.PBVMainMasterXmlReader@@

.PBVContentMasterXmlReader@@

.PBVNotesXmlReader@@

.PBVHandoutXmlReader@@

.PBVShapeBaseXmlReader@@

.PBVDocumentXmlReader@@

.PBVTLTimeNodeXmlReader@@

.PBVTLTimeNodeSequenceXmlReader@@

.PBVTLTimeBehaviorXmlReader@@

.PBVTLTimeAnimateBehaviorXmlReader@@

.PBVTLTimeAnimateScaleBehaviorXmlReader@@

.PBVTLTimeAnimateMotionBehaviorXmlReader@@

.PBVTLTimeAnimateRotationBehaviorXmlReader@@

.PBVTLTimeAnimateColorBehaviorXmlReader@@

.PBVTLTimeAnimateEffectBehaviorXmlReader@@

.PBVTLTimeCommandBehaviorXmlReader@@

.PBVTLTimeSetBehaviorXmlReader@@

.PBVTLTimeMediaNodeXmlReader@@

.PBVTLTimeAudioNodeXmlReader@@

.PBVTLTimeVideoNodeXmlReader@@

.PBVOArtDrawing@@

.PBVSlideE2o@@

.PBVOArtClientData@@

.PBVSlideRootViewElement@@

.PBVBackgroundViewElement@@

.PBVSlideGroupViewElement@@

.PBVDiff@@

.PBVTextBaseDiff@@

.PBVTextDiff@@

.PBVNotesTextDiff@@

.PBVExternalConverterStorage@@

.?AVCInvalidOperationException@Ofc@@

.PBVCStrException@Ofc@@

.PBVCUnknownException@Ofc@@

.PBVCParseException@Ofc@@

.PBVCIntegerOverflowException@Ofc@@

.PBVCOutOfMemoryException@Ofc@@

.PBVCObjectExpiredException@Ofc@@

.PBVCInvalidParamException@Ofc@@

.PBVCInvalidOperationException@Ofc@@

.PBVCOutOfRangeException@Ofc@@

.PBVCBufferOverflowException@Ofc@@

.PBVCLastErrorException@Ofc@@

.PBVCHResultException@Ofc@@

.PBVCOSException@Ofc@@

.PBVCObject@Ofc@@

.PBVCReaderWriterParam@Ofc@@

.PBVInkContentPart@Pml@@

2#3$3(3 3

*393:3;3<3=3>3

\OM.`OM.dOM.hOM.lOM.t

O.xOM.pOM.tOM.

M.phO.

O.(xN.$GT.HxN.

"&&&'"&""

xmSG

'')$(((!

5)'&##!!

333333333330

###%%%&''''(((

###%&'((

"""#%%&''

""%%%&'(

==99777443313110000**

,-//1114||

""""$$%%%%

,-/1114||

""$$$$%%'

!!!!####%%%(((*** ,,,,---{{|||*.

%###%%%(((* ,--{{{|~~

" """" "-.

#%%(((** ,-{{{{~~~

"%%%))   ---{{||~~

/0224447

66666666

 :,9)(#$

%s(@,}

.LQ\_

'''&&$$$$""""

0/.-,  ((%

=9975430

""""###$$$

""""####$$$

,,, *)))&''

Ji..PP)'

Km.gfMMHF

Lnn.gM

..nT440_q

00202-20----'9

0000--  

222200-- }

@8310..  ))

o~÷=

]%dVRB

.MU[O

6 6$6(6,6064686

0 0$0(0,00040

5 5$5(5,5054585<5

8 8$8(8,80848

=,=0=4=8=<=

= =$=(=,=0=4=8=|=

1 1$1(1,10141

9 9$9(9,9094989

1 1$1(1,1014181<1

70=4=<=@=

7 7(7,74787

4 4$4(4,404074787<7

< <$<(<,<0<4<8<<<@<

;!;%;);-;1;5;9;

>$>(>,>0>4>_>

= ="?'?}?

1"151:1`1|1

1%2x2

8œ9[9g9x9

<%<3<<<[<

>,>8>`>~>

2!2'21272

7*7=7]8"9

11D1J1r1}1

=&=.=6=>=

3&4-454:4

8*8:8?8`8

>'?0?>?[?

6$717?7{7

>!>(>/>5><>

3U4]6

0m0%1x1~1

>)?4?=?^?

4$52595?5`5

3%3S3

9#:;;.={=

8Œ8u8

<*=>=\=|=

7Œ8

5!6'6-6Y6}6

8‰8f8

'080#1>1

6'777@7_7

9#:3:::1;

5Q5S5

1-161W1h1q1}1

4L4f4

$040=0|0

1 1:1[1<2

9 949@9[9

78R8d889K9]9

2%2F2Z2}2

11f1o1x1

2 3'3.3[3

8“989@9

6#60676?6

4#4*484<4|4

7*81888?8

7}7

526(7,8=9

89}9

4_5h5~5

45c5

6 7h7ˆ8U8

9 9$9(9,909

3#3)3/373_3

8 828:8?8

3<3a3

6-6}6

>&>@>^>|>

1!1%1)1-111i1m1q1u1y1}1

3%3/393#494[4

7*717:7?7

2 2$2(2,20242

6}7U7

6-7U7}7

8%8X8

0-1U1}1

4%4S4

4O4W4

?(?1?:?[?

4-5D5}5

8%9U9

? ?(?4?\?

6,686@6`6

1,181\1|1

0,080@0`0

>,>8>@>`>

2,282@2`2

5(545<5\5

>(>4><>\>

: :(:0:8:@:\:|:

8 8(808<8`8

>(>0><>`>

2(202<2`2

<$<8<@<\<|<

;,;8;@;`;

:,:8:@:\:|:

=$=,=8=`=

1$1,181\1|1

6(606<6`6

> >(>0><>`>

5$5,585`5

:(:0:<:`:

9$9,989\9|9

:$:,:8:`:

2,282\2|2

4 4(404<4`4

4$4,484\4|4

3(343<3\3

0,080\0|0

0 0$0(0,0

ppmain10.chm

style.visibility

Action: id=%d, src=%d, tbid=%d, mod=%d

Comctl32.dll

dsound.dll

.midi

%s\%s_%s.log

wmvcore.dll

MSCAL.Calendar

OLEACC.DLL

/\.:;?*<>#|"

.pptm

e SlideCreationId %0;e SlideId %1;e ClientCacheId %2;e UserLoginName %3;e UserFriendlyName %4;e SipAddress %5;e Email %6;

o? SlideCoauthorsTable;(*o SlideCoauthor;(&e?0 SlideCreationId;e?1 SlideId;e?2 ClientCacheId;e?3 UserLoginName;e?4 UserFriendlyName;e?5 SipAddress;e?6 Email;)c;p1;)c;f;

.pptx

PowerPoint.Show.8

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32

vidc.xxxx

winmm.dll

msvfw32.dll

Forms.Image.1

Forms.ToggleButton.1

Forms.SpinButton.1

Forms.ScrollBar.1

Forms.ComboBox.1

Forms.ListBox.1

Forms.OptionButton.1

Forms.CheckBox.1

Forms.CommandButton.1

Forms.Frame.1

Forms.TextBox.1

Forms.Label.1

Presentation Converters\OOXML Converters\Defaults\Export\

Presentation Converters\OOXML Converters\Defaults\Import\

%s (%s)

http:

https:

.html

.mhtml

ExportFunction

Export Modules\

.MHTML

6a7a7cc6-1bde-4337-bdb7-0c493fa78063

.qt .mov .3g2 .3gp .avi .dv .m4v .mp4

.3g2 .3gp .aac .m4a .m4b .mp4

Software\Microsoft\Windows NT\CurrentVersion\MCI Extensions

.dvr-ms

.potx

.potm

.ppam

PowerPoint.Application.14

hXXp://schemas.microsoft.com/office/2006/activeX

hXXp://schemas.openxmlformats.org/officeDocument/2006/2/activeX

hXXp://schemas.microsoft.com/aml/2001/core

hXXp://schemas.openxmlformats.org/officeDocument/2006/bibliography

hXXp://schemas.microsoft.com/office/word/2010/wordprocessingCanvas

hXXp://schemas.openxmlformats.org/drawingml/2006/3/chartdr

hXXp://schemas.openxmlformats.org/drawingml/2006/chartDrawing

hXXp://schemas.microsoft.com/office/drawing/2010/chartDrawing

hXXp://schemas.openxmlformats.org/drawingml/2006/chart

hXXp://schemas.microsoft.com/office/drawing/2010/compatibility

hXXp://schemas.openxmlformats.org/drawingml/2006/compatibility

hXXp://schemas.microsoft.com/office/2009/07/customui

hXXp://schemas.microsoft.com/office/2006/01/customui/currentDocument

hXXp://schemas.microsoft.com/office/2006/01/customui

hXXp://schemas.microsoft.com/office/2006/01/customui/special

hXXp://schemas.openxmlformats.org/officeDocument/2006/customXml

uuid:C2F41010-65B3-11d1-A29F-00AA00C14882

hXXp://schemas.microsoft.com/office/2006/xmlPackage

hXXp://schemas.microsoft.com/office/drawing/2010/diagram

hXXp://schemas.openxmlformats.org/drawingml/2006/diagram

hXXp://schemas.microsoft.com/office/drawing/2008/diagram

hXXp://schemas.openxmlformats.org/drawingml/2006/lockedCanvas

hXXp://schemas.openxmlformats.org/package/2006/relationships

hXXp://schemas.microsoft.com/ink/2010/main

hXXp://schemas.openxmlformats.org/markup-compatibility/2006

hXXp://schemas.microsoft.com/office/2004/7/core

hXXp://schemas.microsoft.com/office/drawing/2010/main

hXXp://schemas.openxmlformats.org/drawingml/2006/main

hXXp://schemas.microsoft.com/office/office/2005/8

hXXp://schemas.openxmlformats.org/officeDocument/2006/math

hXXp://schemas.openxmlformats.org/officeDocument/2006/relationships

hXXp://schemas.microsoft.com/office/officeart/2005/8/oss

hXXp://schemas.microsoft.com/office/drawing/2010/picture

hXXp://schemas.openxmlformats.org/drawingml/2006/picture

hXXp://schemas.openxmlformats.org/drawingml/2006/presentationDrawing

hXXp://schemas.openxmlformats.org/presentationml/2006/ole

hXXp://schemas.microsoft.com/office/powerpoint/2010/main

hXXp://schemas.microsoft.com/office/2007/6/19/audiovideo

hXXp://schemas.openxmlformats.org/presentationml/2006/main

hXXp://schemas.microsoft.com/server/powerpoint/2009/main

hXXp://schemas.microsoft.com/server/powerpoint/2009/mobile

hXXp://schemas.microsoft.com/office/publisher/2007/7/pubml

hXXp://schemas.microsoft.com/schemaLibrary/2003/core

hXXp://schemas.openxmlformats.org/schemaLibrary/2006/main

hXXp://schemas.microsoft.com/office/drawing/2010/slicer

hXXp://schemas.openxmlformats.org/drawingml/2006/table

hXXp://schemas.microsoft.com/office/word/2003/wordml

hXXp://schemas.microsoft.com/office/word/2003/wordml/sp2

hXXp://schemas.openxmlformats.org/wordprocessingml/2006/main

hXXp://schemas.microsoft.com/office/word/2010/wordml

hXXp://schemas.openxmlformats.org/wordprocessingml/2006/6/main

hXXp://schemas.openxmlformats.org/wordprocessingml/2006/5/main

hXXp://schemas.openxmlformats.org/wordprocessingml/2006/3/main

hXXp://schemas.openxmlformats.org/wordprocessingml/2006/2/main

hXXp://schemas.microsoft.com/office/word/2005/10/wordml

hXXp://schemas.microsoft.com/office/word/2005/11/1/wordml

hXXp://schemas.microsoft.com/office/word/2005/12/wordml

hXXp://schemas.microsoft.com/office/word/2006/1/wordml

hXXp://schemas.microsoft.com/office/word/2006/wordml

hXXp://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing

hXXp://schemas.microsoft.com/office/word/2010/wordprocessingDrawing

hXXp://schemas.microsoft.com/office/word/2010/wordprocessingGroup

hXXp://schemas.microsoft.com/office/word/2010/wordprocessingInk

hXXp://schemas.microsoft.com/office/word/2010/wordprocessingShape

hXXp://schemas.microsoft.com/office/word/2003/auxHint

hXXp://schemas.openxmlformats.org/spreadsheetml/2006/main

hXXp://schemas.microsoft.com/office/excel/2006/main

hXXp://schemas.openxmlformats.org/spreadsheetml/2006/7/main

hXXp://schemas.microsoft.com/office/excel/2006/7/main

hXXp://schemas.openxmlformats.org/spreadsheetml/2006/5/main

hXXp://schemas.openxmlformats.org/drawingml/2006/spreadsheetDrawing

hXXp://schemas.microsoft.com/office/excel/2010/spreadsheetDrawing

hXXp://VVV.w3.org/XML/1998/namespace

hXXp://VVV.w3.org/2000/xmlns

hXXp://VVV.w3.org/2001/XMLSchema-instance

hXXp://VVV.w3.org/2003/04/emma

hXXp://VVV.w3.org/2003/InkML

hXXp://VVV.w3.org/1998/Math/MathML

hXXp://schemas.microsoft.com/office/drawing/2007/8/2/chart

hXXp://schemas.microsoft.com/office/spreadsheetml/2009/9/ac

hXXp://schemas.microsoft.com/office/spreadsheetml/2009/9/main

hXXp://purl.org/dc/elements/1.1/

hXXp://VVV.w3.org/2001/xml-events

hXXp://VVV.w3.org/2002/xforms

hXXp://VVV.w3.org/1999/xlink

.ppsx

.ppsm

.thmx

^[\/!:]*([^\/!:] )

PPT14.pcb

PowerPoint.ribbonpp

\OLE32.DLL

blank.pot

blank.potx

blank.potm

HrBranchDownloadToWorking Failed, Result = %0x

# %s event log

# PowerPoint version %d.%d.%d.%d %s

\TTY.DLL

windows

Software\Microsoft\Shared Tools\TextConvertors\Import

Software\Microsoft\Shared Tools\Graphics Filters\Import

Software\Microsoft\Shared Tools\Graphics Filters\Export

wpgexp32.flt

PowerPoint.OpenDocument

PowerPoint.Show

PowerPoint.Slide

PowerPoint.Slide.8

PowerPoint.Show.12

PowerPoint.ShowMacroEnabled.12

PowerPoint.Slide.12

PowerPoint.SlideMacroEnabled.12

PowerPoint.Template.12

PowerPoint.TemplateMacroEnabled.12

PowerPoint.OpenDocumentPresentation.12

_vti_bin/lists.asmx

_vti_bin/slidelibrary.asmx

hXXp://schemas.microsoft.com/sharepoint/soap/SlideLibrary/CheckCollisions

hXXp://schemas.microsoft.com/sharepoint/soap/SlideLibrary/GetSlidesXML

hXXp://schemas.microsoft.com/sharepoint/soap/SlideLibrary/GetSlideInfoByIds

hXXp://schemas.microsoft.com/sharepoint/soap/SlideLibrary/Search

hXXp://schemas.microsoft.com/sharepoint/soap/CheckInFile

<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="hXXp://VVV.w3.org/2001/XMLSchema-instance" xmlns:xsd="hXXp://VVV.w3.org/2001/XMLSchema" xmlns:soap="hXXp://schemas.xmlsoap.org/soap/envelope/"><soap:Body>

n pptsl;o CheckCollisionsResponse;o CheckCollisionsResult;o results;e0 Title;e1 Url;e?2 ForceCheckout;p1;(*o Slide;n ;a?0 FileName;a?1 Description;a?2 Editor;a?3 EncodedAbsThumbnailUrl;a?4 Modified;a?5 ID;a?6 EncodedAbsUrl;a?7 Presentation;p2;n pptsl;c;)c;f;

n pptsl;o GetSlidesXMLResponse;o GetSlidesXMLResult;o results;e0 Title;e1 Url;e?2 ForceCheckout;p1;(*o Slide;n ;a?0 FileName;a?1 Description;a?2 Editor;a?3 EncodedAbsThumbnailUrl;a?4 Modified;a?5 ID;a?6 EncodedAbsUrl;a?7 Presentation;p2;n pptsl;c;)c;f;

n pptsl;o GetSlideInfoByIdsResponse;o GetSlideInfoByIdsResult;o results;e0 Title;e1 Url;e?2 ForceCheckout;p1;(*o Slide;n ;a?0 FileName;a?1 Description;a?2 Editor;a?3 EncodedAbsThumbnailUrl;a?4 Modified;a?5 ID;a?6 EncodedAbsUrl;a?7 Presentation;p2;n pptsl;c;)c;f;

n pptsl;o SearchResponse;o SearchResult;o results;e0 Title;e1 Url;e?2 ForceCheckout;p1;(*o Slide;n ;a?0 FileName;a?1 Description;a?2 Editor;a?3 EncodedAbsThumbnailUrl;a?4 Modified;a?5 ID;a?6 EncodedAbsUrl;a?7 Presentation;p2;n pptsl;c;)c;f;

</strListUrl></GetSlidesXML>

<GetSlidesXML xmlns="hXXp://schemas.microsoft.com/sharepoint/soap/SlideLibrary/"><strListUrl>

</strListUrl><slideNames>

<CheckCollisions xmlns="hXXp://schemas.microsoft.com/sharepoint/soap/SlideLibrary/"><strListUrl>

</strListUrl><strSearch>

<Search xmlns="hXXp://schemas.microsoft.com/sharepoint/soap/SlideLibrary/"><strListUrl>

</pageUrl><comment></comment><CheckinType>0</CheckinType></CheckInFile>

<CheckInFile xmlns="hXXp://schemas.microsoft.com/sharepoint/soap/"><pageUrl>

</strListUrl><slideids>

<GetSlideInfoByIds xmlns="hXXp://schemas.microsoft.com/sharepoint/soap/SlideLibrary/"><strListUrl>

forms/allitems.aspx

forms/webfldr.aspx

.ShellClassInfo

mysl.ico

Desktop.ini

"#%&*:<>?\{}|~

^0test.ppt

%s - %s

Content-Type: application/x-www-form-urlencoded

hXXp://schemas.microsoft.com/office/2006/metadata/contentType

hXXp://schemas.microsoft.com/office/officeart/2006/outlinee2o

hXXp://schemas.microsoft.com/office/officeart/2006/notese2o

httphttps

newsnntpprosperotelnetrloginwaistnfilemsn

webcalwebcals

hXXp://

PTF://

Lorem ipsum dolor sit amet, consectetuer adipiscing elit. Maecenas porttitor congue massa. Fusce posuere, magna sed pulvinar ultricies, purus lectus malesuada libero, sit amet commodo magna eros quis urna.

( %s )

unsupported format or missing DShow filter

%s %s

OArtCmdPerfTypingOnly

OArtCmdPerfLog

fill.on

fill.type

%u.%u

%.4f * #Object.speed * exp( %.4f * $ * %.4f ) * sin( %.4f * $ * %.4f )

Object.speed

Object.direction

%#p:%u

%u %s

%s\%s.log

Benchmark type: %s

%s ms

ThreadMsgWinClass

offprof.dll

PVReadme.htm

playfrombookmark(%s)

#x [%d]

#ppt_y;#ppt_y #ppt_h*%f

#ppt_y #ppt_h*%f;#ppt_y

#ppt_y;#ppt_y-#ppt_h*%f

#ppt_y-#ppt_h*%f;#ppt_y

#ppt_x;#ppt_x-#ppt_w*%f

#ppt_x-#ppt_w*%f;#ppt_x

#ppt_x;#ppt_x #ppt_w*%f

#ppt_x #ppt_w*%f;#ppt_x

#x

stroke.color

style.color

#transform.scale_ctr_y; #transform.scale_ctr_y

#transform.scale_ctr_x; #transform.scale_ctr_x

transform.scale_ctr_y

transform.scale_ctr_x

0; .2; .2; 1

0; 90; 90; 90

0; .8; .8; 1

90; 90; 90; 0

0,0; .5, 0; 1, 1

0,0; .5, 1; 1, 1

0; .5; 1

0.0;45.0

0.0;0.699;1.0

-45.0;45.0;0.0

style.rotation

playFromBookmark(%s)

0, 0; .2, .5; .8, .5; 1, 0

0; .5; .6; 1

style.opacity

style.textDecorationUnderline

style.fontWeight

style.fontStyle

style.fontSize

style.fontFamily

stroke.on

%s%s%c

transform.scale_x

transform.scale_y

transform.scale_z

transform.scale_ctr_z

transform.rotation_x

transform.rotation_y

transform.rotation_z

transform.rotation_ctr_x

transform.rotation_ctr_y

transform.rotation_ctr_z

transform.shear_x

transform.shear_y

transform.shear_z

transform.shear_ctr_x

transform.shear_ctr_y

transform.shear_ctr_z

transform.translation_x

transform.translation_y

transform.translation_z

transform.absolute_x

transform.absolute_y

transform.absolute_z

transform.absolute_extent_x

transform.absolute_extent_y

transform.absolute_extent_z

style.textEffectEmboss

style.textShadow

style.textTransform

style.textEffectOutline

style.textDecorationLineThrough

style.sRotation

style.flipX

style.flipY

imageData.cropTop

imageData.cropBottom

imageData.cropLeft

imageData.cropRight

imageData.src

imageData.gain

imageData.blacklevel

imageData.gamma

imageData.grayscale

imageData.chromakey

fill.color

fill.opacity

fill.color2

fill.method

fill.opacity2

fill.angle

fill.focus

fill.focusposition.x

fill.focusposition.y

fill.focussize.x

fill.focussize.y

stroke.weight

stroke.opacity

stroke.linestyle

stroke.dashstyle

stroke.filltype

stroke.src

stroke.color2

stroke.imagesize.x

stroke.imagesize.y

stroke.startArrow

stroke.endArrow

stroke.startArrowWidth

stroke.startArrowLength

stroke.endArrowWidth

stroke.endArrowLength

shadow.on

shadow.type

shadow.color

shadow.color2

shadow.opacity

shadow.offset.x

shadow.offset.y

shadow.offset2.x

shadow.offset2.y

shadow.origin.x

shadow.origin.y

shadow.matrix.xtox

shadow.matrix.ytox

shadow.matrix.ytoy

shadow.matrix.perspectiveX

shadow.matrix.perspectiveY

reflection.opacity

skew.on

skew.offset.x

skew.offset.y

skew.origin.x

skew.origin.y

skew.matrix.xtox

skew.matrix.ytox

skew.matrix.ytoy

skew.matrix.perspectiveX

skew.matrix.perspectiveY

extrusion.on

extrusion.type

extrusion.render

extrusion.viewpointorigin.x

extrusion.viewpointorigin.y

extrusion.viewpoint.x

extrusion.viewpoint.y

extrusion.viewpoint.z

extrusion.plane

extrusion.skewangle

extrusion.skewamt

extrusion.backdepth

extrusion.foredepth

extrusion.orientation.x

extrusion.orientation.y

extrusion.orientation.z

extrusion.orientationangle

extrusion.color

extrusion.rotationangle.x

extrusion.rotationangle.y

extrusion.lockrotationcenter

extrusion.autorotationcenter

extrusion.rotationcenter.x

extrusion.rotationcenter.y

extrusion.rotationcenter.z

extrusion.colormode

extrusion.bevel.top.height

extrusion.bevel.bottom.height

style.textTransformSub

style.textTransformSuper

%f %f %f %f %d %d

%s%s\

PowerPoint.OpenDocumentPresentation

Excel.OpenDocumentSpreadsheet

Word.OpenDocumentText

Visio.Drawing

WordPad.Document

Excel.Chart.8

Excel.Chart

Excel.SheetBinaryMacroEnabled

Excel.SheetMacroEnabled

Excel.Sheet

Word.DocumentMacroEnabled

Word.Document

{E4C18D40-1CD5-101C-B325-00AA001F3168}

MSGraph

MSGraph.Chart.5

MSGraph.Chart.8

MSGraph.Chart

/content.xml#

MicrosoftOffice/14.0 MicrosoftPowerPoint

Master%d-PPL%d

Master%d-Layout%d-%s-%s

Master%d-bg

Master%d-%s

%s.%s

{BB962C8B-B14F-4D97-AF65-F5344CB8AC3E}

{E180D4A7-C9FB-4DFB-919C-405C955672EB}

{3A86A75C-4F4B-4683-9AE1-C65F6400EC91}

{D42A27DB-BD31-4B8C-83A1-F6EECF244321}

{DAA4B4D4-6D71-4841-9C94-3DE7FCFB9230}

bounce.end

PPTFilesBaseURL

BrowserSupport

Keywords

ChatURL

supportEmptyParas

supportLists

Parse Exception (0xX)

Invalid Operation Exception

LastError Exception (%u)

HResult Exception (0x%X)

File Exception (0x%X): %s

kernel32.dll

%s %s %s

%d.%d.%d.%d

Wversion.dll

{x-x-x-xx-xxxxxx}

Software\Microsoft\Windows\CurrentVersion

{1E77DE88-BCAB-4C37-B9E5-073AF52DFD7A}

mso14.dll

msi.dll

l\Microsoft Shared\office14\mso.dll

%sAudioStream %d

QTMLClient.dll

{2FDB2607-1784-4EEB-B798-7EB5836EED8A}

{EC167BDD-8182-4AB7-AECC-EB403E3ABB37}

{F99C55AA-B7CB-42B0-86F8-08522FDF87E8}

{4599F94E-CEE6-441E-89CC-EB005ECD8F06}

{D31A062A-798A-4329-ABDD-BBA856620510}

{E76CE94A-603C-4142-B9EB-6D1370010A27}

{521415D9-36F7-43E2-AB2F-B90AF26B5E84}

14.0.4754.1000

PPTVIEW.EXE

DemoPri.exe_1608:

.text

`.rdata

@.data

.reloc

XXXXXX

HTTP/1.0

DisableCMD

SOFTWARE\Policies\Microsoft\Windows\System

asp32.dll

operator

GetProcessWindowStation

KERNEL32.dll

USER32.dll

GDI32.dll

RegCloseKey

RegOpenKeyExA

ADVAPI32.dll

GdiplusShutdown

gdiplus.dll

WS2_32.dll

iphlpapi.dll

HttpQueryInfoA

HttpSendRequestA

HttpOpenRequestA

WININET.dll

GetCPInfo

GetProcessHeap

c:\windows\

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\DemoPri.exe

4,525?5~5

SetupErr.log

scesetup.log

update.log

msdtc.log

setupapi.log

mscoree.dll

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

AKERNEL32.DLL

WUSER32.DLL

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   FIFA-Fest.EXE:1572
   FIFA.exe:1672
   %original file name%.exe:1848
   DemoPri.exe:1608

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\FIFA.exe (24272 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\DemoPri.exe (1815 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\E.tmp\FIFA-2014.ppsx (8594 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\E.tmp\2.bat (59 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\D.tmp\FIFA-Fest.EXE (10315 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\D.tmp\4.bat (58 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\update.log (22516 bytes)
   %Documents and Settings%\%current user%\Cookies\[email protected][1].txt (169 bytes)
   %Documents and Settings%\%current user%\Cookies\Current_User@microsoft[1].txt (373 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\SetupErr.log (22516 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\setupapi.log (7332 bytes)
   %Documents and Settings%\%current user%\Cookies\[email protected][1].txt (279 bytes)
   %Documents and Settings%\%current user%\Cookies\[email protected][2].txt (671 bytes)
   %Documents and Settings%\%current user%\Cookies\index.dat (5204 bytes)
   %Documents and Settings%\%current user%\Cookies\Current_User@microsoft[2].txt (373 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\msdtc.log (22516 bytes)
   %WinDir%\wuapp.exe (601 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\scesetup.log (22516 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
   "wextract_cleanup0" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\"
   
   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   "Windows Update" = "c:\windows\wuapp.exe"

5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.