MD5: da83fc5420b55ea9f80ab99fd7ac9760
SHA1: 26a3a26605c207bed1598aef771757b672ce27e3
SHA256: 4a56bcbc23cfa9af4f59a4facee3e46dfcb3ab3fdb6bf8295c97882cf372ddfd
SSDeep: 1536:sTXB 5p3Bi HpM4tmJIxqG0/7vd8xUxPpZzm2OcVf2nxqG0/7vdOm:sTs3BxJNmJIxqdLdT/ZzmVZxqdLdN
Size: 100920 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-02-21 21:46:29
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

ugm_installer.exe:1764
%original file name%.exe:620
awesomium_process.exe:2036
GamesManager.exe:1336
GamesManagerInstaller.exe:228

The Trojan injects its code into the following process(es):

awesomium_process.exe:468

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process ugm_installer.exe:1764 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Cache\data_1 (9608 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Cache\data_0 (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Cache\data_3 (133211 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Cache\data_2 (33391 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\xinput9_1_0.dll (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Index (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\avformat-53.dll (6584 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp6.tmp (1223012 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\awesomium.dll (662789 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\GamesManager.exe (110155 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\avcodec-53.dll (33633 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\data_0 (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110500670\cdata.dat (12536 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\f_00000a (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Cache\f_000006 (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Cache\f_000005 (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Cache\f_000004 (9320 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Cache\f_000003 (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Cache\f_000002 (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Cache\f_000001 (8560 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\f_00000f (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\00000000\channel.ico (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk7.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\iWinInstaller.exe (16424 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Cache\f_000008 (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\f_000012 (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\f_000013 (6360 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\f_000010 (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\f_000011 (9320 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\f_000016 (21216 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\f_000017 (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\f_000014 (8560 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\f_000015 (20416 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\iWinLauncher.exe (16424 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\00000002\cdata.dat (12088 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\GMLauncher.exe (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\11008813\channel.ico (12536 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\QuotaManager (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Cache\f_000010 (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Cache\f_000011 (9320 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Cache\f_000012 (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Cache\f_000013 (6360 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Cache\f_000014 (8560 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Cache\f_000015 (20416 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Cache\f_000016 (21216 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\f_000001 (5520 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Cache\f_00000f (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\f_000003 (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Cache\f_00000d (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Cache\f_00000c (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\f_000004 (9320 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\f_000007 (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\f_000006 (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\f_000009 (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\f_000008 (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\languagestrings.ini (237 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\AEWrapper.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Cache\f_00000e (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\f_000002 (8560 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Local Storage\http_client.iplay.com_0.localstorage (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\f_000005 (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Cache\f_00000b (5520 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\icudt.dll (324001 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Cache\f_000007 (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\channel.ico (12536 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Cache\f_00000a (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\f_00000c (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\data_3 (133211 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\data_2 (33391 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\data_1 (9608 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\f_00000b (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\f_00000e (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Cache\index (18424 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\f_00000d (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\00000000\cdata.dat (12088 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\databases\Databases.db (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Cache\f_000009 (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\cdata.dat (12536 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\11008813\cdata.dat (12088 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\libGLESv2.dll (17848 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110402287\channel.ico (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\iWinUninstallWrapper.exe (5064 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\libEGL.dll (3616 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\Uninstaller.exe (16424 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\00000002\channel.ico (12088 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\avutil-51.dll (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\index (18424 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\awesomium_process.exe (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110402287\cdata.dat (12088 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsp5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk7.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk7.tmp\System.dll (0 bytes)

The process %original file name%.exe:620 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\NSISdl.dll (14 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Iplay Games\Play Iplay Games.lnk (2 bytes)
%Documents and Settings%\%current user%\Desktop\Play Iplay Games.lnk (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\GamesManagerInstaller.exe (1202922 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\ftdownload.dat (512 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\iplay.ico (15 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\NSISdl.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\ftdownload.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\GamesManagerInstaller.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp (0 bytes)

The process awesomium_process.exe:468 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\databases\http_gm_0\1 (4203229 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\databases\http_gm_0\1-journal (4231248 bytes)

The process GamesManager.exe:1336 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\f_000011 (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\f_000010 (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\f_000013 (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\f_000012 (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\f_000015 (4185 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\f_000014 (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\f_000017 (35 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\f_000016 (4185 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\f_000018 (38 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\etilqs_vP4MAer2TmLuWqx (326 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\f_00000f (48 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\f_00000d (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\f_00000e (50 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\f_00000b (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\f_00000c (58 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\f_00000a (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\downloads\6899811668702051793.exe (4096187 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Local Storage\http_gm_0.localstorage (299 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\QuotaManager-journal (11066 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\QuotaManager (1899 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\databases\Databases.db-journal (8934 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Cache\f_00000f (48 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Cache\index (3361 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Cache\f_00000d (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Cache\f_00000e (40 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Cache\f_00000b (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Cache\f_00000c (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Cache\f_00000a (40 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cookies-journal (12810 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\index (3361 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Cache\data_0 (45 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Cache\data_1 (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Cache\data_2 (7433 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Cache\data_3 (30812 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\awesomium.log (144 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Cache\f_000010 (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Cache\f_000016 (4185 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\f_000006 (53 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\f_000007 (37 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\f_000004 (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\f_000005 (40 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\f_000002 (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\f_000003 (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\f_000001 (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cookies (1343 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\f_000008 (40 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\f_000009 (65 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Cache\f_000011 (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\data_0 (123361 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\data_1 (25417 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\data_2 (11657 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\data_3 (33388 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\gm.log (990903 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Local Storage\http_client.iplay.com_0.localstorage (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Cache\f_000013 (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Cache\f_000012 (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Index (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Cache\f_000015 (4185 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Cache\f_000014 (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Local Storage\http_gm_0.localstorage-journal (5042 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\databases\Databases.db (881 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Cache\f_000008 (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Cache\f_000009 (50 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Cache\f_000006 (58 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Cache\f_000007 (65 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Cache\f_000004 (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Cache\f_000005 (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Cache\f_000002 (37 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Cache\f_000003 (53 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Cache\f_000001 (1281 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\QuotaManager-journal (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cookies-journal (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\databases\Databases.db-journal (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\databases\http_gm_0\1-journal (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Local Storage\http_gm_0.localstorage-journal (0 bytes)

The process GamesManagerInstaller.exe:228 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\GMInstaller (4 bytes)
%Program Files%\GMInstaller\ugm_installer.exe (484688 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy4.tmp\nsProcess.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy4.tmp\StdUtils.dll (26 bytes)
%Program Files%\GMInstaller\iWinUpgrader.exe (10588 bytes)
%Program Files%\GMInstaller\iWinLauncher.exe (13785 bytes)

The Trojan deletes the following file(s):

%Program Files%\GMInstaller\ugm_installer.exe (0 bytes)
%Program Files%\GMInstaller (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy4.tmp\nsProcess.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy4.tmp\StdUtils.dll (0 bytes)
%Program Files%\GMInstaller\iWinUpgrader.exe (0 bytes)
%Program Files%\GMInstaller\iWinLauncher.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3.tmp (0 bytes)

Registry activity

The process ugm_installer.exe:1764 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "14 BF 7F E9 7D 21 B3 7E A3 BD 85 C4 BB CA 8C CF"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\GamesManager]
"EstimatedSize" = "54584"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\GamesManager]
"UninstallString" = "%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\Uninstaller.exe -config.channelName= -config.channel= -config.sku= -config.channelDesktopIcon="

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\GamesManager]
"DisplayName" = "Games Manager"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\GamesManager]
"DisplayVersion" = "2.2.3.385"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Oberon Media\GamesManagerInstaller]
"Installer Language" = "1033"

[HKCU\Software\Oberon Media\GamesManager]
"ChannelLanguage" = "en"
"EXE" = "%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\GamesManager.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\GamesManager]
"QuietUninstallString" = "%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\Uninstaller.exe /S -config.channelName= -config.channel= -config.sku= -config.channelDesktopIcon="
"DisplayIcon" = "%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\Uninstaller.exe"
"Publisher" = "iWin Inc."

The process %original file name%.exe:620 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B9 0B C1 D8 10 E7 08 40 DD 23 A6 9F 8E 05 65 FF"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKCU\Software\Oberon Media\GamesManager\110341560\shortcuts]
"DesktopShortcut" = "%Documents and Settings%\%current user%\Desktop\Play Iplay Games.lnk"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Oberon Media\GamesManager\110341560\shortcuts]
"StartMenuShortcut" = "%Documents and Settings%\%current user%\Start Menu\Programs\Iplay Games\Play Iplay Games.lnk"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

The process awesomium_process.exe:2036 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "38 34 2C 5E 96 32 FF 00 6A 7A 50 3B 01 36 EA 60"

[HKCU\Software\Microsoft\Direct3D\MostRecentApplication]
"Name" = "awesomium_process.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\DirectX\XInput\XInputDebugGuid]
"BitNames" = " GXIC_ENUM GXIC_DEVINFO GXIC_DEVLIST GXIC_DRIVERCOMM GXIC_API GXIC_CORE GXIC_HOOKS GXIC_COMMON"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\DirectX\XInput]
"LogSessionName" = "stdout"
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\DirectX\XInput\XInputDebugGuid]
"Guid" = "7c830ece-5fb3-417a-a1bd-508f45277356"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\DirectX\XInput]
"ControlFlags" = "1"

The process awesomium_process.exe:468 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "05 04 A0 09 3C BD 7B 18 E1 BA 2C BC 6F 60 98 DF"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\DirectX\XInput\XInputDebugGuid]
"BitNames" = " GXIC_ENUM GXIC_DEVINFO GXIC_DEVLIST GXIC_DRIVERCOMM GXIC_API GXIC_CORE GXIC_HOOKS GXIC_COMMON"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\DirectX\XInput]
"LogSessionName" = "stdout"
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\DirectX\XInput\XInputDebugGuid]
"Guid" = "7c830ece-5fb3-417a-a1bd-508f45277356"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\DirectX\XInput]
"ControlFlags" = "1"

The process GamesManager.exe:1336 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C0 1D A8 DC 5B 4C 79 2A F5 B4 53 8F CC 21 C9 4C"

[HKCU\Software\Oberon Media\GamesManager\110341560\Settings]
"InstallLocation" = "c:\games\Iplay Games"

[HKCU\Software\Oberon Media\GamesManager\110341560\Downloads\6899811668702051793]
"LocalUri" = "%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\downloads\6899811668702051793.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKCU\Software\Oberon Media\GamesManager\110341560\Downloads\6899811668702051793]
"StartedAt" = "Type: REG_QWORD, Length: 8"

[HKCU\Software\IplayArcade]
"firstTimeAID" = "0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\DirectX\XInput\XInputDebugGuid]
"BitNames" = " GXIC_ENUM GXIC_DEVINFO GXIC_DEVLIST GXIC_DRIVERCOMM GXIC_API GXIC_CORE GXIC_HOOKS GXIC_COMMON"

[HKCU\Software\Oberon Media\GamesManager\110341560\Downloads\6899811668702051793]
"Name" = "IGT Slots Kitty Glitter"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Oberon Media\GamesManager\110341560\Downloads\6899811668702051793]
"DrmType" = "IWIN"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Oberon Media\GamesManager\110341560\Downloads\6899811668702051793]
"Uri" = "http://download.iwincdn.com/gg/pf/iwin/6899811668702051793/acd_-1m_pogoiwin_gas/iwin/IGTSlotsKittyGlitterSetup.exe"

[HKCU\Software\IplayArcade]
"installroot" = "c:\games\Iplay Games"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\DirectX\XInput]
"LogSessionName" = "stdout"
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\DirectX\XInput\XInputDebugGuid]
"Guid" = "7c830ece-5fb3-417a-a1bd-508f45277356"

[HKCU\Software\Oberon Media\GamesManager\110341560\Downloads\6899811668702051793]
"Priority" = "1"
"Content-Size" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\DirectX\XInput]
"ControlFlags" = "1"

The process GamesManagerInstaller.exe:228 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BC 57 91 63 22 B0 3E 3B 92 3D 44 07 14 51 83 3A"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\GMInstaller]
"ugm_installer.exe" = "Download Games Manager Installer"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 25
681ddd51508325855abeafdd834fb6ad
0a4c1c9628a93bfb0ebdb0a641fcb112
d38b1c301af57328f7bf9e8f51354e3d
a8de930234cd7c64e863cb5f67292f07
4fc266d80a46bfa7260718af997a95e1
4284dd5c152c6ea74b600909c19e5ebc
c1253e737846820d03a9c8059686a00f
eeb31f9ffc8957d09688a2efb8f30ee9
b0107b530eb46286ae8b754be5057958
db8964c20ad0fc0c590883251ed65cee
f7cac007a484ebd17b75b9dedb0663af
2de752d345e3ed868ce4bc8ab0e312df
de73acea0f1aaf521d93366d71ed8ede
43aca91657cb369214c13f192e7f866c
1fa21478c981aa3b2709807bc1e52ee7
434a91e68ebbd175e091c23e4b4d5e79
42a3e411846ea677a04aa881740e5ec2
9fcc6c6be157fd8618530548abb26ae0
5f7e9d52ddf3df979a4eeb7d22d45c15
cbef3fe5d37c8869edad0a9fcbe4bdba
0ba1e28250c83440c77bdf26e1561f23
27c57560bc519439595813346499e111
6be915d596f4acdc524fecc6697c82e1
f1c5eb7aa52d3b566a75ceed2bf040a3
5c0a20ded1393b5cde632d11f311845e

URLs

URL	IP
hxxp://stamp-vpc-aws-iwin-com-1981998893.us-east-1.elb.amazonaws.com/games/GamesManagerInstaller.exe
hxxp://iplay-iwin-com-65257455.us-east-1.elb.amazonaws.com/gm-config
hxxp://iplay-iwin-com-65257455.us-east-1.elb.amazonaws.com/catalog/html/firstinstall/firstinstall-iplay.html
hxxp://iplay-iwin-com-65257455.us-east-1.elb.amazonaws.com/catalog/html/firstinstall/styles/firstinstall-iplay.css
hxxp://code.jquery.netdna-cdn.com/jquery-1.11.1.min.js
hxxp://iplay-iwin-com-65257455.us-east-1.elb.amazonaws.com/scripts/common/utils-ours/iwinutils.js
hxxp://iplay-iwin-com-65257455.us-east-1.elb.amazonaws.com/catalog/html/firstinstall/scripts/firstinstall.js
hxxp://iplay-iwin-com-65257455.us-east-1.elb.amazonaws.com/games/6898022281323102055.xml
hxxp://iplay-iwin-com-65257455.us-east-1.elb.amazonaws.com/catalog/html/firstinstall/images/iplay-icon.png
hxxp://iplay-iwin-com-65257455.us-east-1.elb.amazonaws.com/catalog/html/firstinstall/images/pause.jpg
hxxp://iplay-iwin-com-65257455.us-east-1.elb.amazonaws.com/catalog/html/firstinstall/images/stop.jpg
hxxp://iplay-iwin-com-65257455.us-east-1.elb.amazonaws.com/catalog/html/firstinstall/images/iplay-submit.png
hxxp://cs230.wac.edgecastcdn.net/images/product/6899811668702051793/fea_3.jpg
hxxp://iplay-iwin-com-65257455.us-east-1.elb.amazonaws.com/services/dlog?act=start&gid=6899811668702051793&sid=6898022281323102055&hid=75ed9567-aa58-4c8e-a8ea-3cad7c47ab03&lid=42&aid=42&pid=0&allaccess=0&ft=0
hxxp://gs1.wpc.v1cdn.net/gg/pf/iwin/6899811668702051793/acd_-1m_pogoiwin_gas/iwin/IGTSlotsKittyGlitterSetup.exe
hxxp://gm-iplay.iwin.com/gm-config	52.1.171.52
hxxp://gm-iplay.iwin.com/games/6898022281323102055.xml	52.1.171.52
hxxp://static.iwincdn.com/images/product/6899811668702051793/fea_3.jpg	68.232.35.54
hxxp://gm-iplay.iwin.com/catalog/html/firstinstall/images/iplay-submit.png	52.1.171.52
hxxp://gm-iplay.iwin.com/scripts/common/utils-ours/iwinutils.js	52.1.171.52
hxxp://gm-iplay.iwin.com/catalog/html/firstinstall/styles/firstinstall-iplay.css	52.1.171.52
hxxp://gm-iplay.iwin.com/catalog/html/firstinstall/images/pause.jpg	52.1.171.52
hxxp://gm-iplay.iwin.com/catalog/html/firstinstall/firstinstall-iplay.html	52.1.171.52
hxxp://gm-iplay.iwin.com/catalog/html/firstinstall/images/stop.jpg	52.1.171.52
hxxp://gm-iplay.iwin.com/catalog/html/firstinstall/images/iplay-icon.png	52.1.171.52
hxxp://dl.iwin.com/games/GamesManagerInstaller.exe	52.5.235.230
hxxp://gm-iplay.iwin.com/catalog/html/firstinstall/scripts/firstinstall.js	52.1.171.52
hxxp://code.jquery.com/jquery-1.11.1.min.js	94.31.29.53
hxxp://ws-iplay.iwin.com/services/dlog?act=start&gid=6899811668702051793&sid=6898022281323102055&hid=75ed9567-aa58-4c8e-a8ea-3cad7c47ab03&lid=42&aid=42&pid=0&allaccess=0&ft=0	54.165.62.167
hxxp://download.iwincdn.com/gg/pf/iwin/6899811668702051793/acd_-1m_pogoiwin_gas/iwin/IGTSlotsKittyGlitterSetup.exe	93.184.221.131

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /games/GamesManagerInstaller.exe HTTP/1.0

Host: dl.iwin.com

User-Agent: NSISDL/1.2 (Mozilla)

Accept: */*

HTTP/1.1 200 OK

Accept-Ranges: bytes

Cache-Control: max-age=14400

Content-Type: application/x-msdos-program

Date: Wed, 02 Dec 2015 00:39:53 GMT

Expires: Wed, 02 Dec 2015 04:39:53 GMT

Last-Modified: Mon, 30 Nov 2015 17:25:32 GMT

Server: Apache/2.2.22 (Ubuntu) mod_perl/2.0.5 Perl/v5.14.2

Content-Length: 15590928

Connection: Close
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8
...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8.......
.PE..L.....GO.................t...z...B...8............@..............
............`......0.....@.................................@........@.
.8....................`...............................................
........................................text....r.......t.............
..... ..`.rdata..n .......,...x..............@[email protected].... ...........
...............@....ndata...P...............................rsrc...8..
..@......................@[email protected][email protected].
......................................................................
......................................................................
......................................................................
......................................................................
...............................................U....\.}..t .}.F.E.u..H
[email protected][email protected]...
..@..}[email protected]... M..........M........E...FQ.....NU
..M.......M...VT..U........FP..E...............E.P.M...H.@..E..P.E..E.
[email protected]}[email protected].}.j.W.E......E.....
[email protected][email protected][email protected] [email protected].
u.....@._^3.[.....L$....G...i. @...T.....tUVW.q.3.;5..G.sD..i. @...D..
S.....t.G.....t...O..t .....u...3....3...F. @..;5..G.r.[_^...U..QQ
<<< skipped >>>

GET /images/product/6899811668702051793/fea_3.jpg HTTP/1.1

Host: static.iwincdn.com

Connection: keep-alive

User-Agent: NextDM/2.2.3.385  AppleWebKit/535.19 (KHTML, like Gecko) GamesManager/2.2.3.385

Accept: */*

Referer: hXXp://gm/iwin/index.html

Accept-Encoding: gzip,deflate

Accept-Language: en-us,en

Accept-Charset: iso-8859-1,*,utf-8

HTTP/1.1 200 OK

Accept-Ranges: bytes

Cache-Control: max-age=86400, s-maxage=2592000

Content-Type: image/jpeg

Date: Wed, 02 Dec 2015 00:40:44 GMT

Etag: "554a74109edf70ccb6c815c7f99ec07d"

Last-Modified: Thu, 01 May 2014 17:15:00 GMT

Server: ECS (rtm/35A1)

Via: 1.1 origin.iwincdn.com

Via: 1.1 varnish

x-amz-id-2: /pAq6EKcg18VMtz6Aozv84F6HhmPFbhr lRGcMUEH CT4fd5FQJWI5UoopmSV6yl

x-amz-request-id: C00C8F56B7581731

X-Cache: HIT

X-Varnish: 340174587

Content-Length: 4079
......Exif..II*.................Ducky.......<.....ihXXp://ns.adobe.
com/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?&g
t; <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-
c061 64.140949, 2010/12/07-10:57:01        "> <rdf:RDF xmlns:rdf
="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description
 rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRe
f="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://n
s.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="uuid:87D9216DB1DEDB118
DD6C85E432DE6E7" xmpMM:DocumentID="xmp.did:A6BEFC2CCBEA11E2854FF4E0576
93325" xmpMM:InstanceID="xmp.iid:A6BEFC2BCBEA11E2854FF4E057693325" xmp
:CreatorTool="Adobe Photoshop CS4 Macintosh"> <xmpMM:DerivedFrom
 stRef:instanceID="xmp.iid:F87F117407206811A7C6B7FCD737E99F" stRef:doc
umentID="uuid:87D9216DB1DEDB118DD6C85E432DE6E7"/> </rdf:Descript
ion> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>.
...Adobe.d............................................................
......................................................................
...............>.a.................................................
...........................................!1.AQ"2a....q.#.....BRbs.D5
U......$..7........................!1AQaqR.......2#..."Bb3$...........
.?.........j.n....y...qE,GmD......S..8q'.o....!c...5.j...:....Ymj.}.wN
...t.D.j..P..f..8Z.u.D.j......./.v?...X........}.....%.V.......>.].
.%[email protected].. ..D.j.............._.a-..}.wN...t...~......7t....._.a
<<< skipped >>>

GET /gm-config HTTP/1.1

Host: gm-iplay.iwin.com

Connection: keep-alive

Cache-Control: max-age=0

If-Modified-Since: Sat, 1 Jan 2005 00:00:00 GMT

User-Agent: NextDM/2.2.3.385  AppleWebKit/535.19 (KHTML, like Gecko) GamesManager/2.2.3.385

Accept: */*

Referer: hXXp://gm/iwin/index.html

Accept-Encoding: gzip,deflate

Accept-Language: en-us,en

Accept-Charset: iso-8859-1,*,utf-8

HTTP/1.1 200 OK

Accept-Ranges: bytes

Age: 1429

Cache-Control: max-age=7200

Content-Type: application/xml;charset=utf-8

Date: Wed, 02 Dec 2015 00:40:43 GMT

Last-Modified: Sun, 17 Aug 292278994 07:12:55 GMT

P3P: CP="NOI CURo ADMo DEVo TAIo OUR NOR IND COM NAV"

Server: nginx/1.1.19

Vary: iWin-App, Accept

Via: 1.1 varnish

X-Varnish: 2144618854 2144611444

Content-Length: 4888

Connection: keep-alive
<?xml version="1.0" encoding="utf-8"?><gm-url-config xmlns="h
ttp://VVV.iwin.com/schemas/catalog" xmlns:xsi="hXXp://VVV.w3.org/2001/
XMLSchema-instance"><site-host>iplay.iwin.com</site-host&g
t;<gm-host>gm-iplay.iwin.com</gm-host><url-signin>ht
tps://gm-iplay.iwin.com/Login.do</url-signin><url-about-icoin
s>hXXp://gm-iplay.iwin.com/membership</url-about-icoins><u
rl-my-account>hXXps://gm-iplay.iwin.com/account/icoins</url-my-a
ccount><url-signout>hXXps://gm-iplay.iwin.com/Logout.do</u
rl-signout><url-search>hXXp://gm-iplay.iwin.com/search?q=<
/url-search><url-part-rawInfo>/arcade/rawinfo/</url-part-r
awInfo><url-update-arcade>hXXp://gm-iplay.iwin.com/dgu?game=A
RCD&ver=</url-update-arcade><url-update-game>hXXp://gm
-iplay.iwin.com/dgu?game=</url-update-game><url-ws-services-s
log>hXXp://ws-iplay.iwin.com/services/slog?</url-ws-services-slo
g><url-ws-services-dlog>hXXp://ws-iplay.iwin.com/services/dlo
g?act=</url-ws-services-dlog><url-ws-services-ulog>hXXp://
ws-iplay.iwin.com/services/ulog?lid=</url-ws-services-ulog><u
rl-ws-icoins>hXXp://gm-iplay.iwin.com/account/icoins-safe.xml;jsess
ionid=%s</url-ws-icoins><url-part-more-game>/calendar/game
s/new</url-part-more-game><url-part-top-game>hXXp://gm-ipl
ay.iwin.com/arcade/home</url-part-top-game><url-part-ad1>/
arcade/panel/bottom</url-part-ad1><url-part-ad2>/arcad
<<< skipped >>>

GET /catalog/html/firstinstall/firstinstall-iplay.html HTTP/1.1

Host: gm-iplay.iwin.com

Connection: keep-alive

User-Agent: NextDM/2.2.3.385  AppleWebKit/535.19 (KHTML, like Gecko) GamesManager/2.2.3.385

Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8

Referer: hXXp://gm/iwin/index.html

Accept-Encoding: gzip,deflate

Accept-Language: en-us,en

Accept-Charset: iso-8859-1,*,utf-8

HTTP/1.1 200 OK

Accept-Ranges: bytes

Age: 0

Content-Encoding: gzip

Content-Type: text/html

Date: Wed, 02 Dec 2015 00:40:43 GMT

ETag: W/"3119-1448528502000"

Last-Modified: Thu, 26 Nov 2015 09:01:42 GMT

Server: nginx/1.1.19

Via: 1.1 varnish

X-Varnish: 2009849561

Content-Length: 1176

Connection: keep-alive
...........V[o.6.~^........e}.d...l).,m=t{.h..fL.*I....!)9.-..6#.H....
;..........X.Z...?...B.2.......5..............'........./Y9..bl..f...6
K6{.>{. ..-S7x.U.J....T..|.....i..P.l ..0..r.0..c.qUq..2. -.r...<
;R.i.!.^..Nb..e.k.Y..a...j......D.Bt.........:.H...h$.e....]....g...u.
....\W..2.4.q`MI..RW.=~j....Y\.W...e.P....G...")r.W'.O._m..o^.....!JO.
ZHQ.o.......:=..K...V.uB.T..2..*l.....G.z9.I..-_...f..>8..F%6 .I...
.....r.....I...8..o...z....V.w..p..Jj^./.F.o."M.E.........F..B...-.\.r
 ..xY.....2`U.4V..4.)W..f.!..(.r....).voI..9....9kFt........S#>...z
..%j2."..SA/.F-...M..r.t.._..y..........-.x ..<J........{.1z#..x...
...O..C..E... .5.d.|F..z%.9...b.k....Q-.p.lb......R.bOc.......b..r...'
 .%.Z.s..l...........E.Y......Q.....^PY...u...T6J81.P.1Y..Z*tM......b{
..!...^H.^.s.:.i.4..~{,..}..1.<.3..V.shFb.kL......E..6u..=.-.Q..2O.
.}|,....A,..!...H..[.5.-.9u...........h/.rD.b..K....K"...=..Tk*.......
..!...$.?..r..(...$...SmM.[...._.,\9M.....2...'....3..I....QG.t .....H
...........hT...u...-Y{..?......s.db....kA..o.6.Cx.....2c.i...r.P.....
T."......A*"..P>.x(..U.....(.".../...t..s.q....e..i'.i.6M.}..5.:-.F
S...t3....%R[.kN..:)...........5.:.rs.AGG...M........\..<..s..X.JaR
....../.......


GET /catalog/html/firstinstall/styles/firstinstall-iplay.css HTTP/1.1

Host: gm-iplay.iwin.com

Connection: keep-alive

User-Agent: NextDM/2.2.3.385  AppleWebKit/535.19 (KHTML, like Gecko) GamesManager/2.2.3.385

Accept: text/css,*/*;q=0.1

Referer: hXXp://gm-iplay.iwin.com/catalog/html/firstinstall/firstinstall-iplay.html

Accept-Encoding: gzip,deflate

Accept-Language: en-us,en

Accept-Charset: iso-8859-1,*,utf-8

HTTP/1.1 200 OK

Accept-Ranges: bytes

Age: 0

Content-Type: text/css

Date: Wed, 02 Dec 2015 00:40:44 GMT

ETag: W/"2225-1448528502000"

Last-Modified: Thu, 26 Nov 2015 09:01:42 GMT

Server: nginx/1.1.19

Via: 1.1 varnish

X-Varnish: 2009849565

Content-Length: 2225

Connection: keep-alive
html,body {.    margin: 0;.    background: #fff;.    font-family: helv
etica,arial,verdana,sans-serif;.    color: #3c3c3c;.}..#content {.    
width: 1000px;.    margin: 0 auto;.    overflow: hidden;.    line-heig
ht: normal;.}..#content p {.    line-height: 20px;.    margin: 12px 0;
.}...welcome {.    width: 280px;.    float: left;.    padding: 30px 20
px 0;.    font-size: 14px;.}...downloadQueue, .newsletter {.    float:
 left;.    width: 295px;.    padding: 30px 20px;.    font-size: 14px;.
}...welcome h2 {.    color: #000;.    font-size: 20px;.    font-weight
: normal;.    margin-bottom: 12px;.}...welcome #iplayGamesIcon {.    d
isplay: inline-block;.}..welcome #iplayGamesIcon img {.    float: left
; .    margin: 0 5px 0 0;.}...welcome #iplayGamesIcon #note {.    widt
h: 210px;.    float: right;.    font-size: 12px;.    line-height: 16px
;.    margin-top: 2px;.}...section {.    border-left: 1px solid #ddd;.
    min-height: 310px;.}...section h2 {.    color: #fff;.    font-size
: 18px;.    line-height: 50px;.    background: #811414;.    height: 47
px;.    text-align: center;.    vertical-align: middle;.    margin-bot
tom: 0;.}...sectionContent {.    border: 1px solid #ddd;.    padding: 
0 11px 0 15px;.    min-height: 260px;.}...section #newsletterForm .err
or {.    position: relative;.    margin: 10px 0;.    padding: 10px 10p
x 10px 40px;.    color: #ff0000;.    border: 1px solid #ff0000;.    fo
nt-weight: bold;.    border-radius: 6px;.}..section #newsletterForm .e
rror i {.    position: absolute;.    top: 50%;.    margin: -10px 5
<<< skipped >>>

GET /catalog/html/firstinstall/images/pause.jpg HTTP/1.1

Host: gm-iplay.iwin.com

Connection: keep-alive

User-Agent: NextDM/2.2.3.385  AppleWebKit/535.19 (KHTML, like Gecko) GamesManager/2.2.3.385

Accept: */*

Referer: hXXp://gm-iplay.iwin.com/catalog/html/firstinstall/firstinstall-iplay.html

Accept-Encoding: gzip,deflate

Accept-Language: en-us,en

Accept-Charset: iso-8859-1,*,utf-8

HTTP/1.1 200 OK

Accept-Ranges: bytes

Age: 0

Content-Type: image/jpeg

Date: Wed, 02 Dec 2015 00:40:44 GMT

ETag: W/"1314-1448528502000"

Last-Modified: Thu, 26 Nov 2015 09:01:42 GMT

Server: nginx/1.1.19

Via: 1.1 varnish

X-Varnish: 2144618864

Content-Length: 1314

Connection: keep-alive
......Exif..II*.................Ducky.......<..... hXXp://ns.adobe.
com/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?&g
t; <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-
c061 64.140949, 2010/12/07-10:57:01        "> <rdf:RDF xmlns:rdf
="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description
 rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="ht
tp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.
0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS5.1 Windows" 
xmpMM:InstanceID="xmp.iid:F14B3D15F8A911E19DA88B900A91E56E" xmpMM:Docu
mentID="xmp.did:F14B3D16F8A911E19DA88B900A91E56E"> <xmpMM:Derive
dFrom stRef:instanceID="xmp.iid:F14B3D13F8A911E19DA88B900A91E56E" stRe
f:documentID="xmp.did:F14B3D14F8A911E19DA88B900A91E56E"/> </rdf:
Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="
r"?>....Adobe.d....................................................
......................................................................
.......................................s..............................
.....................................!....QAa."Rr.#.4DE...............
.........A"..............?.......r.".s*.4[.....V.Pn`..&..o)...x=m...c.
..........."...........!..p.Xq.9.yDo..uY..."Pl.....qS.IBOMl.oz.7N..w..
o...mkr.1..k^.~^......Pa..<6n..[....._.....
<<< skipped >>>

GET /jquery-1.11.1.min.js HTTP/1.1

Host: code.jquery.com

Connection: keep-alive

User-Agent: NextDM/2.2.3.385  AppleWebKit/535.19 (KHTML, like Gecko) GamesManager/2.2.3.385

Accept: */*

Referer: hXXp://gm-iplay.iwin.com/catalog/html/firstinstall/firstinstall-iplay.html

Accept-Encoding: gzip,deflate

Accept-Language: en-us,en

Accept-Charset: iso-8859-1,*,utf-8

HTTP/1.1 200 OK

Date: Wed, 02 Dec 2015 00:40:44 GMT

Content-Type: application/javascript; charset=utf-8

Transfer-Encoding: chunked

Connection: keep-alive

Last-Modified: Fri, 24 Oct 2014 00:16:07 GMT

Vary: Accept-Encoding

ETag: W/"54499a47-1762a"

Expires: Thu, 31 Dec 2037 23:55:55 GMT

Cache-Control: max-age=315360000

Cache-Control: public

Access-Control-Allow-Origin: *

Server: NetDNA-cache/2.2

X-Cache: HIT

Content-Encoding: gzip
97a5..............iw#....}......F.M.$.m..XR.e..du..7.ya(.$............
*..%{.s...j j..12..|.d.../.................g...d.=.8..bq;.....<..j&
gt;8.....<Z,.Og.A1_.{O.....v>P.z/.7.j..E1X..|...X......Yqp......
.b.^.].p.......U1_......h..5....~Y...,.o........bY..Q......X....N.C...
.'...k..e..]..h.q.....c/F.y1...q.......LWY.!..Mo.7.;.l...V....j...z.l.
...j.... ...F.$......h.x.^N.....Io.......u.\...Uh..............u4.S.tm
kq....?w.W.._.....w..w............V.O....a.s>....m<.O......._...
....7.O.r~ut.\..Z...AKk.1....v.^,[W.....\.j.......q.^|.\... .......z.Y
].......,.......~.k....*..5.s....buz.V.2...uopY.R..g$W.r\X.Z.0.z#....p
.7......}.]...v.n..}V............YK.v.}v..N...6...:].].."<..A,.s3.#
U..^....Xr...Q..z...h9.M.R...r.,@....~L.Y.W...P..){.*.)OV,...^.......|
o.sp..........t..n..U..aY.....m6V]...#>...F....b#......ug.,.xjM;..;
._.epCb1..aVd#6}/Ld......'..[?>.....?9......Y....t|pP.....&..f..=..
....h.." .qc...A'.Z..)....N............nG.....I..P..{..^.......J......
@.;8..Z.~.........v.te....F...?..n..../{.vO ......-......}..I.....t.w.
{cEx.P..\...t..EhyRQk.g.oz...R...........E....`.Z..MW?......qV...p..o.
!.I6_,.......Q..a.Z.!V.....,..C..7..f.JS...ZO....?...................m
...v|......^.........i.)......{...*l..|..G...70./..d.w|m......b...lzG.
..x..9.w#.ceK..{.. ......_8...j..Z#y.~P..........V.t....G...rO..G....A
...*.....o.....A7...l......2S..huY.v.Y....E...$..*.L.=.L.\4@/.........
f.~o..MoV6.E.k...\..L..\. ......:.U...o.|.<..}6.].3q.e....zq;....J.
.....m.a.-5$.'d.......#....z.6.1......[$VP.b........K.........;...
<<< skipped >>>

GET /gg/pf/iwin/6899811668702051793/acd_-1m_pogoiwin_gas/iwin/IGTSlotsKittyGlitterSetup.exe HTTP/1.1

User-Agent: NextDM/2.2.3.385  AppleWebKit/535.19 (KHTML, like Gecko) GamesManager/2.2.3.385

Host: download.iwincdn.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Accept-Ranges: bytes

Cache-Control: max-age=2592000

Content-Type: application/x-msdos-program

Date: Wed, 02 Dec 2015 00:40:47 GMT

Etag: "801861bb7cf526b51dd690cd1857abcc-25"

Expires: Thu, 10 Dec 2015 19:43:50 GMT

Last-Modified: Sun, 13 Apr 2014 03:55:23 GMT

Server: ECAcc (ams/48C2)

Via: 1.0 download.iwin.com

x-amz-id-2: lwdgVg9IO4dfLQ4xkKHIAx0scC jE1m6tOm9nfb0PXCGOB/miSh0AXaDs5uviWVtyAAwOrgIxYw=

x-amz-request-id: DBBBDEFBCCCBDA49

X-Cache: HIT

Content-Length: 178394424
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1p.:u..iu..i
u..i...iw..iu..i...i...id..i!2.i...i...it..iRichu..i........PE..L....f
.R.................\...........0.......p....@.........................
.p......:........................................s...........m........
......x............................................................p..
.............................text...jZ.......\.................. ..`.r
data.......p.......`..............@[email protected]..........
[email protected][email protected]
..............@..@....................................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
[email protected]@..e...E..E.P.u....r@
..}[email protected]... M.......M....3.....FQ.....NU..M.....
.....VT..U.....FP..E...............E.P.M...Tp@[email protected]
....E..9}[email protected].}.j.W.E......E.......@[email protected]..
[email protected]<[email protected] [email protected]...\r@._
^3.[.....L$...6B...Si.....VW.T.....tO.q.3.;5.6B.sB..i......D.......t.G
.....t...O..t .....u...3....3...F.....;5.6B.r._^[...U..QQ.U.SV..i.
<<< skipped >>>

GET /catalog/html/firstinstall/scripts/firstinstall.js HTTP/1.1

Host: gm-iplay.iwin.com

Connection: keep-alive

User-Agent: NextDM/2.2.3.385  AppleWebKit/535.19 (KHTML, like Gecko) GamesManager/2.2.3.385

Accept: */*

Referer: hXXp://gm-iplay.iwin.com/catalog/html/firstinstall/firstinstall-iplay.html

Accept-Encoding: gzip,deflate

Accept-Language: en-us,en

Accept-Charset: iso-8859-1,*,utf-8

HTTP/1.1 200 OK

Accept-Ranges: bytes

Age: 0

Content-Type: text/javascript

Date: Wed, 02 Dec 2015 00:40:44 GMT

ETag: W/"5312-1448528502000"

Last-Modified: Thu, 26 Nov 2015 09:01:42 GMT

Server: nginx/1.1.19

Via: 1.1 varnish

X-Varnish: 2144618860

Content-Length: 5312

Connection: keep-alive
/**. * @fileOverview Provides functionality for email submission on th
e landing page of game manager first installs.. * . * @author Kyle Bro
wn ([email protected]). * @author Jason Laumeister ([email protected]
). * @reader Carlos Ambrozak ([email protected]). * @review PASS. *. 
* @jslint 03/14/2012. */../*global window, document, console, $J */../
**. * @namespace iwin. */.var iwin = window.iwin || {};../**. * @names
pace iwin.firstInstall. */.iwin.firstInstall = iwin.firstInstall || {}
;../**. * @namespace iwin.messages. */.iwin.firstInstall.messages = {.
    EMAIL_IS_EMPTY: 'Email field is empty',.    EMAIL_IS_NOT_VALID: 'E
mail is not in a valid format',.    FIRST_NAME_IS_EMPTY: 'First name f
ield is empty',.    SUCCESS: '<p><strong>Thank You!</st
rong></p><p>Thank you for signing up for our email news
letter! You will start to receive our emails within 1-2 weeks notifyin
g you of new game releases and game discounts.</p><p>Enjoy
!</p>'.};../**. * @function. */.iwin.firstInstall.validate = fun
ction () {.    var elements = iwin.firstInstall.elements, valid = true
;..    if (elements.errorContent) {.        elements.errorContent.html
('');.    }..    if (elements.firstName.val().length < 1) {.       
 iwin.firstInstall.showError('FIRST_NAME_IS_EMPTY');.        valid = f
alse;.    }..    if (elements.email.val().length > 0) {.        if 
(!iwin.Util.isEmailValid(elements.email.val())) {.            iwin.fir
stInstall.showError('EMAIL_IS_NOT_VALID');.            valid = fal
<<< skipped >>>

GET /games/6898022281323102055.xml HTTP/1.1

Host: gm-iplay.iwin.com

Connection: keep-alive

User-Agent: NextDM/2.2.3.385  AppleWebKit/535.19 (KHTML, like Gecko) GamesManager/2.2.3.385

Accept: */*

Referer: hXXp://gm/iwin/index.html

Accept-Encoding: gzip,deflate

Accept-Language: en-us,en

Accept-Charset: iso-8859-1,*,utf-8

HTTP/1.1 200 OK

Accept-Ranges: bytes

Age: 0

Cache-Control: max-age=7200

Content-Type: application/xml;charset=utf-8

Date: Wed, 02 Dec 2015 00:40:44 GMT

P3P: CP="NOI CURo ADMo DEVo TAIo OUR NOR IND COM NAV"

Server: nginx/1.1.19

Vary: iWin-App, Accept

Via: 1.1 varnish

X-Varnish: 1925486456

Content-Length: 7257

Connection: keep-alive
<?xml version="1.0" encoding="utf-8"?><game xmlns="hXXp://www
.iwin.com/schemas/catalog" xmlns:xlink="hXXp://VVV.w3.org/1999/xlink" 
xmlns:xsi="hXXp://VVV.w3.org/2001/XMLSchema-instance" id="igt-slots-ki
tty-glitter" parent-game-id="6899811668702051793" universal-product-id
="igt-slots-kitty-glitter" self="hXXp://gm-iplay.iwin.com/games/igt-sl
ots-kitty-glitter" canonical-url="hXXp://gm-iplay.iwin.com/games/igt-s
lots-kitty-glitter" coming-soon="false"><sku-id>6898022281323
102055</sku-id><title>IGT Slots Kitty Glitter</title>
;<ultra-short-description>Play Real Las Vegas Slots!</ultra-s
hort-description><short-description><span style="color: re
d;"><strong>Play FREE, no time  limit, EVER!<br /><b
r /></strong></span>IGT Slots Kitty Glitter is the late
st premium slot experience available for your PC system. Featuring aut
hentic casino slot machines from IGT - The World's Leading Slot Machin
e Manufacturer!<br /><br />Bring casino games into your ho
me! Play Kitty Glitter Slots and see why this Cat is Queen! Plus, thre
e more exciting themes! Amazing graphics and video bonus rounds make t
hese exciting games addicting. Simulate the feeling of being in a real
 casino with true-to-life slots.</short-description><long-des
cription>IGT Slots Kitty Glitter is the latest premium slot experie
nce available for your PC system. Featuring authentic casino slot mach
ines from IGT - The World's Leading Slot Machine Manufacturer!<
<<< skipped >>>

GET /catalog/html/firstinstall/images/iplay-icon.png HTTP/1.1

Host: gm-iplay.iwin.com

Connection: keep-alive

User-Agent: NextDM/2.2.3.385  AppleWebKit/535.19 (KHTML, like Gecko) GamesManager/2.2.3.385

Accept: */*

Referer: hXXp://gm-iplay.iwin.com/catalog/html/firstinstall/firstinstall-iplay.html

Accept-Encoding: gzip,deflate

Accept-Language: en-us,en

Accept-Charset: iso-8859-1,*,utf-8

HTTP/1.1 200 OK

Accept-Ranges: bytes

Age: 0

Content-Type: image/png

Date: Wed, 02 Dec 2015 00:40:44 GMT

ETag: W/"7012-1448528502000"

Last-Modified: Thu, 26 Nov 2015 09:01:42 GMT

Server: nginx/1.1.19

Via: 1.1 varnish

X-Varnish: 2144618863

Content-Length: 7012

Connection: keep-alive
.PNG........IHDR...8...8.......;.....tEXtSoftware.Adobe ImageReadyq.e&
lt;..."iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCe
hiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk=
"Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27        "> &
lt;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
 <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1
.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http:/
/ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photo
shop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:314163C8BBA511E48E69D9A2
9A84EF86" xmpMM:DocumentID="xmp.did:314163C9BBA511E48E69D9A29A84EF86"&
gt; <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:314163C6BBA511E48E
69D9A29A84EF86" stRef:documentID="xmp.did:314163C7BBA511E48E69D9A29A84
EF86"/> </rdf:Description> </rdf:RDF> </x:xmpmeta>
; <?xpacket end="r"?>[L~.....IDATx..Z.x...~..=....YH..EbP....*.Z
...j..Z\Z......VQ.V...Z.>.u.Z.....B.}.......d......IH ,..s.yN&.2...
[....9...l.^>.. .....!. [email protected]@..h0...f.7............F........
c.`.......ee.......#...z...C.........."..&Nf5....f......y}k.F...@`.gs5
.......1c.=~.....-..q....C}Y.jW~../.......o'../.L.M.h...h0...fw..s....
....i.0`.t........:.......`[......@J~.,.}.<..Z......{.B.y.5.l.*....
.:..i.........>./(......C....[n.z^......'.W.D.'...R..b....9[...2...
PR.<.9.^...gv......u.|T._....D.}...F...1..............G.Q..s...gq..
o]..!^.. .....&34#i..G#:.0!.....&.L*...k....o.3.....`.6.{/......y.
<<< skipped >>>

GET /scripts/common/utils-ours/iwinutils.js HTTP/1.1

Host: gm-iplay.iwin.com

Connection: keep-alive

User-Agent: NextDM/2.2.3.385  AppleWebKit/535.19 (KHTML, like Gecko) GamesManager/2.2.3.385

Accept: */*

Referer: hXXp://gm-iplay.iwin.com/catalog/html/firstinstall/firstinstall-iplay.html

Accept-Encoding: gzip,deflate

Accept-Language: en-us,en

Accept-Charset: iso-8859-1,*,utf-8

HTTP/1.1 200 OK

Accept-Ranges: bytes

Age: 533

Cache-Control: max-age=3600

Content-Type: text/javascript

Date: Wed, 02 Dec 2015 00:40:44 GMT

ETag: W/"12834-1448453100000"

Expires: Wed, 02 Dec 2015 01:31:51 GMT

Last-Modified: Wed, 25 Nov 2015 12:05:00 GMT

Server: nginx/1.1.19

Via: 1.1 varnish

X-Varnish: 2144618859 2144616105

Content-Length: 12834

Connection: keep-alive
function i$(a){if($J(a).length)return $J(a);console.debug("There is no
 such element with id = '%s'",a);var b={style:{},src:{},href:{},absolu
tize:function(){},addClassName:function(){},addMethods:function(){},ad
jacent:function(){},ancestors:function(){},childElements:function(){},
classNames:function(){},cleanWhitespace:function(){},clonePosition:fun
ction(){},cumulativeOffset:function(){},cumulativeScrollOffset:functio
n(){},descendantOf:function(){},descendants:function(){},down:function
(){},empty:function(){},extend:function(){},fire:function(){},firstDes
cendant:function(){},getDimensions:function(){},getElementsByClassName
:function(){},getElementsBySelector:function(){},getHeight:function(){
},getOffsetParent:function(){},getStyle:function(){},getWidth:function
(){},hasClassName:function(){},hide:function(){},identify:function(){}
,immediateDescendants:function(){},insert:function(){},inspect:functio
n(){},makeClipping:function(){},makePositioned:function(){},match:func
tion(){},next:function(){},nextSiblings:function(){},observe:function(
){},positionedOffset:function(){},previous:function(){},previousSiblin
gs:function(){},readAttribute:function(){},recursivelyCollect:function
(){},relativize:function(){},remove:function(){},removeClassName:funct
ion(){},replace:function(){},scrollTo:function(){},select:function(){}
,setOpacity:function(){},setStyle:function(){},show:function(){},sibli
ngs:function(){},stopObserving:function(){},toggle:function(){},toggle
ClassName:function(){},undoClipping:function(){},undoPositioned:fu
<<< skipped >>>

GET /catalog/html/firstinstall/images/stop.jpg HTTP/1.1

Host: gm-iplay.iwin.com

Connection: keep-alive

User-Agent: NextDM/2.2.3.385  AppleWebKit/535.19 (KHTML, like Gecko) GamesManager/2.2.3.385

Accept: */*

Referer: hXXp://gm-iplay.iwin.com/catalog/html/firstinstall/firstinstall-iplay.html

Accept-Encoding: gzip,deflate

Accept-Language: en-us,en

Accept-Charset: iso-8859-1,*,utf-8

HTTP/1.1 200 OK

Accept-Ranges: bytes

Age: 0

Content-Type: image/jpeg

Date: Wed, 02 Dec 2015 00:40:44 GMT

ETag: W/"1393-1448528502000"

Last-Modified: Thu, 26 Nov 2015 09:01:42 GMT

Server: nginx/1.1.19

Via: 1.1 varnish

X-Varnish: 1925486457

Content-Length: 1393

Connection: keep-alive
......Exif..II*.................Ducky.......<..... hXXp://ns.adobe.
com/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?&g
t; <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-
c061 64.140949, 2010/12/07-10:57:01        "> <rdf:RDF xmlns:rdf
="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description
 rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="ht
tp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.
0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS5.1 Windows" 
xmpMM:InstanceID="xmp.iid:086B8794F8AA11E1B6ED91D1947D4E3A" xmpMM:Docu
mentID="xmp.did:086B8795F8AA11E1B6ED91D1947D4E3A"> <xmpMM:Derive
dFrom stRef:instanceID="xmp.iid:086B8792F8AA11E1B6ED91D1947D4E3A" stRe
f:documentID="xmp.did:086B8793F8AA11E1B6ED91D1947D4E3A"/> </rdf:
Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="
r"?>....Adobe.d....................................................
......................................................................
......................................................................
.........................................!1."2#.ab3.D.................
.....1.!A..#."2.a...Bbrc$..............?.......Tr...R...Z.Sh.S1..r...s
.f.f....Y.dA...W.g;.. b(.B.$J.....e..B...cb%..;m.jHC....3 ..C. .t.BV.O
....u...?C.w2..n.P.|..sN&.v.~Ii1.. ....pXj..J..Ha ....d.C.-...n).9.}..
....Y.s.?K..-.>....S{.........v.W..?.D?j....9.......
<<< skipped >>>

GET /catalog/html/firstinstall/images/iplay-submit.png HTTP/1.1

Host: gm-iplay.iwin.com

Connection: keep-alive

User-Agent: NextDM/2.2.3.385  AppleWebKit/535.19 (KHTML, like Gecko) GamesManager/2.2.3.385

Accept: */*

Referer: hXXp://gm-iplay.iwin.com/catalog/html/firstinstall/firstinstall-iplay.html

Accept-Encoding: gzip,deflate

Accept-Language: en-us,en

Accept-Charset: iso-8859-1,*,utf-8

HTTP/1.1 200 OK

Accept-Ranges: bytes

Age: 0

Content-Type: image/png

Date: Wed, 02 Dec 2015 00:40:44 GMT

ETag: W/"2108-1448528502000"

Last-Modified: Thu, 26 Nov 2015 09:01:42 GMT

Server: nginx/1.1.19

Via: 1.1 varnish

X-Varnish: 2144618865

Content-Length: 2108

Connection: keep-alive
.PNG........IHDR.......(.......T.....tEXtSoftware.Adobe ImageReadyq.e&
lt;..."iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCe
hiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk=
"Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27        "> &
lt;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
 <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1
.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http:/
/ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photo
shop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:0BF80373BBA511E4ABC9C1AC
95444688" xmpMM:DocumentID="xmp.did:0BF80374BBA511E4ABC9C1AC95444688"&
gt; <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:0BF80371BBA511E4AB
C9C1AC95444688" stRef:documentID="xmp.did:0BF80372BBA511E4ABC9C1AC9544
4688"/> </rdf:Description> </rdf:RDF> </x:xmpmeta>
; <?xpacket end="r"?>..OB....IDATx....H.G..?m....6.GDe?H2V...".F
I.....i..Z.2Z.H.5j.Fl ."(6.......f......L..ObI.I..F..{_.u.>.<i.'
...><......s_.}...=..9...0A....B..&.).)k........V.F...#B..ne[..0
.P....BHT.Q.]Y........,..B.Q.a..JQ .8dB.b.........!}.0.B([email protected].
B(....a$... ;5O.=Ir...T...C..!.)..K.N]"q.x.....T...`........Y.._&&e..;
.....!m.../dv..:...<>P...,..y.....H ..{ ........|..'1h].......C.
c.&>l........(...$[ .I.?5:......W&..............M.KCG..(..<...2l
..........#.>.K}=:a.......#.....23%G./...]z...P.$O..c..........:MY.
...F......P.....F..C...?.g.x.|"..1.....)...EN....<.E,..B.s~M...
<<< skipped >>>

GET /services/dlog?act=start&gid=6899811668702051793&sid=6898022281323102055&hid=75ed9567-aa58-4c8e-a8ea-3cad7c47ab03&lid=42&aid=42&pid=0&allaccess=0&ft=0 HTTP/1.1

Host: ws-iplay.iwin.com

Connection: keep-alive

User-Agent: NextDM/2.2.3.385  AppleWebKit/535.19 (KHTML, like Gecko) GamesManager/2.2.3.385

Accept: */*

Referer: hXXp://gm/iwin/index.html

Accept-Encoding: gzip,deflate

Accept-Language: en-us,en

Accept-Charset: iso-8859-1,*,utf-8

HTTP/1.1 200 OK

Accept-Ranges: bytes

Age: 0

Date: Wed, 02 Dec 2015 00:40:45 GMT

Server: nginx/1.1.19

Via: 1.1 varnish

X-Varnish: 2009849571

Content-Length: 2

Connection: keep-alive
OKHTTP/1.1 200 OK..Accept-Ranges: bytes..Age: 0..Date: Wed, 02 Dec 201
5 00:40:45 GMT..Server: nginx/1.1.19..Via: 1.1 varnish..X-Varnish: 200
9849571..Content-Length: 2..Connection: keep-alive..OK..

The Trojan connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.rsrc

@.reloc

u u

FTPSQR

8sqliu

,4,56,789

xSSSh

FTPjKS

FtPj;S

C.PjRV

inflate 1.2.8 Copyright 1995-2013 Mark Adler

USER32.dll

Line %d, Column %d

GetProcessWindowStation

operator

portuguese-brazilian

Visual C   CRT: Not enough memory to complete call to strerror.

Broken pipe

Inappropriate I/O control operation

Operation not permitted

large file support is disabled

unknown operation

SQL logic error or missing database

foreign_keys

sqlite_compileoption_get

sqlite_compileoption_used

sqlite_log

sqlite_source_id

sqlite_version

sqlite_attach

sqlite_detach

sqlite_stat1

sqlite_rename_parent

sqlite_rename_trigger

sqlite_rename_table

GetProcessHeap

RowKey

unzip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll

3.7.14

SQLite format 3

CREATE TABLE sqlite_master(

sql text

CREATE TEMP TABLE sqlite_temp_master(

REINDEXEDESCAPEACHECKEYBEFOREIGNOREGEXPLAINSTEADDATABASELECTABLEFTHENDEFERRABLELSEXCEPTRANSACTIONATURALTERAISEXCLUSIVEXISTSAVEPOINTERSECTRIGGEREFERENCESCONSTRAINTOFFSETEMPORARYUNIQUERYATTACHAVINGROUPDATEBEGINNERELEASEBETWEENOTNULLIKECASCADELETECASECOLLATECREATECURRENT_DATEDETACHIMMEDIATEJOINSERTMATCHPLANALYZEPRAGMABORTVALUESVIRTUALIMITWHENWHERENAMEAFTEREPLACEANDEFAULTAUTOINCREMENTCASTCOLUMNCOMMITCONFLICTCROSSCURRENT_TIMESTAMPRIMARYDEFERREDISTINCTDROPFAILFROMFULLGLOBYIFISNULLORDERESTRICTOUTERIGHTROLLBACKROWUNIONUSINGVACUUMVIEWINITIALLY

SQLITE_

d-d-d d:d:d

d:d:d

d-d-d

failed to allocate %u bytes of memory

failed memory resize %u to %u bytes

922337203685477580

API call with %s database connection pointer

OsError 0x%x (%u)

os_win.c:%d: (%d) %s(%s) - %s

delayed %dms for lock/sharing conflict

%s-shm

%s\etilqs_

%s\%s

Recovered %d frames from WAL file %s

cannot limit WAL size: %s

invalid page number %d

2nd reference to page %d

Failed to read ptrmap key=%d

Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)

%d of %d pages missing from overflow list starting at %d

failed to get page %d

freelist leaf count too big on page %d

Page %d:

unable to get the page. error code=%d

btreeInitPage() returns error code %d

On tree page %d cell %d:

On page %d at right child:

Corruption detected in cell %d on page %d

Multiple uses for byte %d of page %d

Fragmentation of %d bytes reported as %d on page %d

Page %d is never used

Pointer map page %d is referenced

Outstanding page count goes from %d to %d during this analysis

unknown database %s

keyinfo(%d

%s(%d)

%s-mjXXXXXX9XXz

MJ delete: %s

MJ collide: %s

-mjX9X

foreign key constraint failed

unable to use function %s in the requested context

bind on a busy prepared statement: [%s]

zeroblob(%d)

abort at %d in [%s]: %s

constraint failed at %d in [%s]

cannot open savepoint - SQL statements in progress

no such savepoint: %s

cannot release savepoint - SQL statements in progress

cannot commit transaction - SQL statements in progress

sqlite_temp_master

sqlite_master

SELECT name, rootpage, sql FROM '%q'.%s WHERE %s ORDER BY rowid

cannot change %s wal mode from within a transaction

database table is locked: %s

statement aborts at %d: [%s] %s

cannot open value of type %s

cannot open virtual table: %s

cannot open view: %s

no such column: "%s"

foreign key

indexed

cannot open %s column for writing

misuse of aliased aggregate %s

%s: %s.%s.%s

%s: %s.%s

%s: %s

not authorized to use function: %s

%r %s BY term out of range - should be between 1 and %d

too many terms in %s BY clause

Expression tree is too large (maximum depth %d)

variable number must be between ?1 and ?%d

too many SQL variables

too many columns in %s

EXECUTE %s%s SUBQUERY %d

misuse of aggregate: %s()

%.*s"%w"%s

%s%.*s"%w"

%s OR name=%Q

type='trigger' AND (%s)

sqlite_

table %s may not be altered

there is already another table or index with this name: %s

view %s may not be altered

UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;

UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d 18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');

sqlite_sequence

UPDATE "%w".sqlite_sequence set name = %Q WHERE name = %Q

UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;

Cannot add a PRIMARY KEY column

UPDATE "%w".%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d) WHERE type = 'table' AND name = %Q

sqlite_altertab_%s

CREATE TABLE %Q.%s(%s)

DELETE FROM %Q.%s WHERE %s=%Q

SELECT tbl,idx,stat FROM %Q.sqlite_stat1

invalid name: "%s"

too many attached databases - max %d

database %s is already in use

unable to open database: %s

no such database: %s

cannot detach database %s

database %s is locked

%s %T cannot reference objects in database %s

access to %s.%s.%s is prohibited

access to %s.%s is prohibited

object name reserved for internal use: %s

there is already an index named %s

too many columns on %s

duplicate column name: %s

default value of column [%s] is not constant

table "%s" has more than one primary key

AUTOINCREMENT is only allowed on an INTEGER PRIMARY KEY

no such collation sequence: %s

CREATE %s %.*s

UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d

CREATE TABLE %Q.sqlite_sequence(name,seq)

view %s is circularly defined

UPDATE %Q.%s SET rootpage=%d WHERE #%d AND rootpage=#%d

sqlite_stat%d

DELETE FROM %Q.sqlite_sequence WHERE name=%Q

DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'

sqlite_stat

table %s may not be dropped

use DROP TABLE to delete table %s

use DROP VIEW to delete view %s

foreign key on %s should reference only one column of table %T

number of columns in foreign key does not match the number of columns in the referenced table

unknown column "%s" in foreign key definition

indexed columns are not unique

table %s may not be indexed

views may not be indexed

virtual tables may not be indexed

there is already a table named %s

index %s already exists

sqlite_autoindex_%s_%d

table %s has no column named %s

CREATE%s INDEX %.*s

INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);

no such index: %S

index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped

DELETE FROM %Q.%s WHERE name=%Q AND type='index'

a JOIN clause is required before %s

unable to identify the object to be reindexed

table %s may not be modified

cannot modify %s because it is a view

foreign key mismatch

table %S has %d columns but %d values were supplied

%d values for %d columns

table %S has no column named %s

%s.%s may not be NULL

constraint %s failed

PRIMARY KEY must be unique

sqlite3_extension_init

unable to open shared library [%s]

no entry point [%s] in shared library [%s]

error during initialization: %s

automatic extension loading failed: %s

foreign_key_list

*** in database %s ***

unsupported encoding: %s

malformed database schema (%s)

%s - %s

unsupported file format

SELECT name, rootpage, sql FROM '%q'.%s ORDER BY rowid

database schema is locked: %s

unknown or unsupported join type: %T %T%s%T

RIGHT and FULL OUTER JOINs are not currently supported

a NATURAL join may not have an ON or USING clause

cannot have both ON and USING clauses in the same join

cannot join using column %s - column not present in both tables

USE TEMP B-TREE FOR %s

COMPOUND SUBQUERIES %d AND %d %s(%s)

%s.%s

%s:%d

ORDER BY clause should come after %s not before

LIMIT clause should come after %s not before

SELECTs to the left and right of %s do not have the same number of result columns

no such index: %s

sqlite_subquery_%p_

no such table: %s

SCAN TABLE %s %s%s(~%d rows)

sqlite3_get_table() called with two or more incompatible queries

cannot create %s trigger on view: %S

cannot create INSTEAD OF trigger on table: %S

INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')

no such trigger: %S

-- TRIGGER %s

no such column: %s

cannot VACUUM - SQL statements in progress

PRAGMA vacuum_db.synchronous=OFF

SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0

SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'

SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'

SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0

SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';

INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)

UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d

vtable constructor failed: %s

vtable constructor did not declare schema: %s

no such module: %s

table %s: xBestIndex returned an invalid plan

%s SUBQUERY %d

%s TABLE %s

%s AS %s

%s USING %s%sINDEX%s%s%s

%s USING INTEGER PRIMARY KEY

%s (rowid=?)

%s (rowid>? AND rowid<?)

%s (rowid>?)

%s (rowid<?)

%s VIRTUAL TABLE INDEX %d:%s

%s (~%lld rows)

at most %d tables in a join

cannot use index: %s

the INDEXED BY clause is not allowed on UPDATE or DELETE statements within triggers

the NOT INDEXED clause is not allowed on UPDATE or DELETE statements within triggers

unknown database: %s

no such %s mode: %s

%s mode not allowed: %s

no such vfs: %s

database corruption at line %d of [%.10s]

misuse at line %d of [%.10s]

cannot open file at line %d of [%.10s]

1.2.8

gm.log

Mozilla/5.0 (Windows NT) AppleWebKit/${webkitversion} (KHTML, like Gecko) Version/${GMVersion} GamesManager/${GMVersion}

NextDM/${GMVersion} AppleWebKit/${webkitversion} (KHTML, like Gecko) GamesManager/${GMVersion}

${webkitversion}

HKEY_CURRENT_USER\Software\Oberon Media

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall

icon.ico

OmnitureReporter.exe

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION

body { -webkit-user-select: none; }

webdata\

cdata.dat

asset://gm/iwin.html

hXXp://client.iplay.com/

hXXps://client.iplay.com/

DefaultCertificateId

downloadURLType

StartMenuIconURL

hXXp://gm/

hXXps://gm/

languagestrings.ini

hXXp://

hXXps://

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

hXXps://p.iwin.com/gm/autoupdate/version.json

GM_GameCertificateFail

hXXp://dl.iwin.com/

hXXps://dl.iwin.com/

hXXp://s-dl.iwin.com/

hXXps://s-dl.iwin.com/

hXXp://d1.iwin.com/

hXXps://d1.iwin.com/

hXXp://s-d1.iwin.com/

hXXps://s-d1.iwin.com/

hXXp://VVV.iwin.com/

hXXps://VVV.iwin.com/

hXXp://gm.iwin.com/

hXXps://gm.iwin.com/

GameExe

\glcfg.date

gameExe

stdat.dat

GLWorker.exe

activate2_%s_%s

activate_%s_%s

ALTUSERNAME;DAYSLEFT;TIMELEFTTOTAL;gid%s

gamepage/buynow.html

110266250

110267383

110402287

gas.dll

GamesManagerInstaller.exe

gmv.tmp

URL Request: %s

Error missing mimetype for: %s

Began Loading: %s

Finished Loading: %s

Document Ready Message for: %s

[WebConsole - %s:%d] %s

x.sdfgywvnpq9t81u-nc8qcm=-wetu9q-3v5ry80

-exeu=

-exed=

[ERROR] - %s - Code:%d (OptSku:%s)

[ERROR] - %s - Code:%d

Version string in JSON is invalid found %s

OZip: Writing file %s

OZip: Unable to open writeable stream for file %s

Unable to open zip archive: %s

/index.html

CertificateRevokeCompleted

CertificateRevokeFailed

CertificateRevokeStarted

CertificateGrantComplete

CertificateGrantFailed

CertificateGrantStarted

homepage.html

sign-in.html

errorpage.html

index.html

GMS: getData uri:%s

GMS: getData found resource:%s

GMS: getData loadResource:%s

GMS: getData parse game data:%s

GMS: getData read channel zip:%s

GMS: readFileFromChannelZip file: %s

GMS: readFileFromChannelZip mime: %s

GMS: readFileFromChannelZip OZip::open %s

GMS: handleRequest id:%d path:%s

\iwininstaller.exe

-gmexe="

-gmregkey="

-preinstallurl="%s"

-gamestring=%s

-config.installRoot="

[EVENT] Sending '%s' Event '%d' Message '%s'

[EVENT] Sending '%s' Event '%d'

[EVENT] Game State: %s

[EVENT] Sending '%s' Event '%d' Complete

Game Download Completed, but queueing install for '%s' as another game is installing

_update.zip

and Unable to remove registry keys

Unable to remove registry keys

Game %s has no location of DRM file(s) - unable to revoke a certificate in this case

Installing Certificate %s to Game %s

Game %s has no location of DRM file(s) - unable to install a certificate in this case

Game Doesn't Have an uninstall exe specified

finalizeInstallProcess: iWin Sourced Executable, NEEDSINSTALLREGCOPY: %d

finalizeInstallProcess: KEY_REGCOPYSRC: %s

finalizeInstallProcess: REGMACHINEINSTALLLOCATION: %s

finalizeInstallProcess: attempting to find game in registry by sku: %s

finalizeInstallProcess: Failed to find game by sku. Try by name: %s

finalizeInstallProcess: folderName: %s

finalizeInstallProcess: Copy Root destKey: %s folderName: %s

%s\%s\%s

finalizeInstallProcess: Copy registry key 'GameExe' value dest: %s src: %s

finalizeInstallProcess: 'GameExe' value to set: %s

finalizeInstallProcess: Copy registry key 'InstallDir' dest: %s src: %s

finalizeInstallProcess: 'InstallDir' setValue: %s

finalizeInstallProcess: Copy registry key 'GameName' to dest: %s

finalizeInstallProcess: 'GameName' setValue: %s

gameAID|%s|gameLID|%s

finalizeInstallProcess: Writing stampdata file %s

finalizeInstallProcess: Unable to write stampdata file for %s

finalizeInstallProcess: Deleting registry key: %s

finalizeInstallProcess: regRoot: %s

finalizeInstallProcess: regRoot query mSKU: %s

GameId setValue key: %s value: %s

finalizeInstallProcess: regRoot key does not exist

\iWinUninstallWrapper.exe -sku=

Error creating registry keys for iwin drm game

Error opening registry keys to finalize install of iwin drm game

Failed to update DRM for thread for DRM Update for game %s [Thread Autoclosed]

Failed to launch thread for DRM Update for game %s

Game: updateDrmStats name:%s

Game: updateDrmStats command:%s

Game: open Drm file: %s

Game %s [Key: %s] has %d seconds remaining

Game: updateDrmStats ODrm::load fail name:%s

[IWIN-Game-Config (%s)] %s

GM_initialise: Initialise JS Reporting

GM Location: %s

GM Version: %s

asset://gm/index.html

reg path: %s

subKeys found: %d

skuValue : %s

skuValue (Read from root): %s

skuValue not found in 'GameID' key or Registry Root

appName : %s

gameExe : %s

gameExe not found

installDir : %s

Game %s(%s): cannot find game folder at location '%s' therefore skipping game

GM_scanForInstalledGames: registry sku[%s] channel[%s]

GM_scanForInstalledGames: EXE launch[%s] drm[%s]

GM_scanForInstalledGames: getExeFilename

GM_scanForInstalledGames: appName[%s]

Game Download Found: [%s] %s

iwin://ACDCMD=

if(!window.GamesManager) {

window.GamesManager = {

GamesManager.mEventCallbackObject[GamesManager.mEventCallbackMethod](event, object );

for(var i = 0 ; i < GamesManager.mGames.length && !ret ; i  ) {

if(GamesManager.mGames[i].sku === sku) {

ret = GamesManager.mGames[i];

for(var i = 0 ; i < GamesManager.mGames.length && idx <0 ; i  ) {

GamesManager.mGames.splice(idx,1);

if(!GamesManager.findGame(sku)) {

drmType: GamesManager.DRMTYPE_TRIAL,

GamesManager.mGames.push(g);

g.state = GamesManager.GAMESTATE_DOWNLOADING;

GamesManager.sendGameEvent(GamesManager.EVENT_GAMEDOWNLOADSTART,g);

var dloadMax = Math.floor(Math.random() * 20)   10;

var dloadSize = Math.floor((Math.random() * 1000000000)   10000000);

g.downloadStartedAt = Math.floor(Date.now()/1000);

g.downloadEstimatedComplete = Math.floor(Date.now()/1000)   (dloadMax*1000);

g.downloadTotalBytes = dloadSize;

g.downloadCurrentBytes = Math.floor((dloadSize / dloadMax) * dloadCount);

GamesManager.sendGameEvent(GamesManager.EVENT_GAMEDOWNLOADPROGESS,g);

g.state = GamesManager.GAMESTATE_INSTALLING;

GamesManager.sendGameEvent(GamesManager.EVENT_GAMEINSTALLSTARTED,g);

GamesManager.sendGameEvent(GamesManager.EVENT_GAMEINSTALLCOMPLETED,g);

GamesManager.sendGameEvent(GamesManager.EVENT_CERTIFICATEGRANTSTARTED,g);

g.drmRemains = 60*60;

g.drmTrialTotal = g.drmRemains;

g.state = GamesManager.GAMESTATE_READY;

GamesManager.sendGameEvent(GamesManager.EVENT_CERTIFICATEGRANTCOMPLETE,g);

}, 1000);

GamesManager.EVENT_

GamesManager.GAMESTATE_

GamesManager.SYSTEMREQUEST_

// GamesManager Game Flags Passed in the {game}.flag JS as an CSV

GamesManager.GAMEFLAG_%s = '%s';

GamesManager.DRMSOURCE_BLAZE = '%s';

GamesManager.DRMSOURCE_IWIN = '%s';

// GamesManager DRM Certificate Types

GamesManager.DRMTYPE_PURCHASED = '%s';

GamesManager.DRMTYPE_AYCE = '%s';

GamesManager.DRMTYPE_TRIAL = '%s';

GamesManager.DRMTYPE_GAS = '%s';

Sending Event %d: %s

Error Sending Event %d

Sending SystemEvent %d: %s

http_

Local Storage\{channelurl}.localstorage

{channelurl}

110500670

update ItemTable set key='resources-{nchannel}' where key='resources-{ochannel}';

update ItemTable set key='channel-{nchannel}' where key='channel-{ochannel}';

https_

manifest_url

iWin Download Requested: %s

?ACDCMD

iWin Download Requested, doesn't include ACDCMD* option - Skipping download

iWin Link protocol Requested: %s

iWin:// protocol Requested: %s

Read iWinChannel::REGUSERLEGACY_LOGINHID %s

set property UNIQUEMACHINEID %s

HKEY_CURRENT_USER\Software\Oberon Media\Client\Components\Initiator

r.first

r.last

LEGACY_LOGINNAME

LEGACY_LOGINTOKEN

set property LEGACY_LOGINHARDWAREID %s

LEGACY_LOGINHARDWAREID

if(GamesManager.mEventCallbackObject) {

var g = GamesManager.findGame(unitySku);

GamesManager.uninstallGame(unitySku);

GamesManager.downloadGame(unitySku,g.name,"",g.drmType);

}, 4000);

console.log('GM.registerCallback not called');

sidrUrl

g.state = GamesManager.GAMESTATE_UNINSTALLING;

GamesManager.sendGameEvent(GamesManager.EVENT_GAMEUNINSTALLSTARTED, g);

GamesManager.removeGame(unitySku);

g.state = GamesManager.GAMESTATE_REMOVED;

GamesManager.sendGameEvent(GamesManager.EVENT_GAMEUNINSTALLCOMPLETED, g);

}, 2000);

GamesManager.sendGameEvent(GamesManager.EVENT_CERTIFICATEREVOKESTARTED, g);

if(g.drmType) {

GamesManager.sendGameEvent(GamesManager.EVENT_CERTIFICATEREVOKECOMPLETED, g);

g.drmType = null;

GamesManager.sendGameEvent(GamesManager.EVENT_CERTIFICATEREVOKEFAILED, g);

Revokes the current certificate

revokeCertificate

GamesManager.sendGameEvent(GamesManager.EVENT_CERTIFICATEGRANTSTARTED, g);

if(certificateName.indexOf('CERT_M') === 0) {

g.drmType = GamesManager.DRMTYPE_TRIAL;

g.drmRemains = (parseInt(certificateName.substring('CERT_M'.length)) * 1000);

GamesManager.sendGameEvent(GamesManager.EVENT_CERTIFICATEGRANTCOMPLETE, g);

} else if(certificateName.indexOf('@') > 0) {

g.drmType = GamesManager.DRMTYPE_AYCE;

g.drmRemains = 0;

GamesManager.sendGameEvent(GamesManager.EVENT_CERTIFICATEGRANTFAILED, g);

GamesManager.sendGameEvent(GamesManager.EVENT_CERTIFICATEGRANTFAILED);

Installs a certificate synchronously

installCertificateSynchronous

g.drmType = GamesManager.DRMTYPE_PURCHASED;

optionalCertificateKey

certificateName

Installs a certificate

installCertificate

GamesManager.sendGameEvent(GamesManager.EVENT_GAMELAUNCHSTARTED, g);

GamesManager.sendGameEvent(GamesManager.EVENT_GAMELAUNCHCOMPLETE, g);

GamesManager.sendGameEvent(GamesManager.EVENT_GAMEOVER, g);

}, 5000);

GamesManager.sendGameEvent(GamesManager.EVENT_GAMELAUNCHFAILED);

if(GamesManager.findGame(unitySku)) {

console.log("Removed download data");

console.log("Game Not Found");

console.log("Not able to resume");

console.log("Not able to pause");

GamesManager.addGame(unitySku,name,drmType);

console.log('GM.registerCallback has not called');

console.log('Not implemented in debug');

console.log('Not Implemented');

this.mEventCallbackObject = object;

this.mEventCallbackMethod = methodname;

this.mGames = DEFAULT_GAMES;

this.mSystem = DEFAULT_SYSTEM;

GamesManager.sendGameEvent(GamesManager.EVENT_GAMESMANAGERCONFIGREADY, GamesManager.mSystem );

GamesManager.sendGameEvent(GamesManager.EVENT_GAMESMANAGERGAMESREADY, GamesManager.mGames );

}, 500);

console.log('Not Currently Implemented');

window.close();

window.open(uri);

Shells out to an exe, help or other protocol specified request

console.log(message);

Attempting to shell out to %s

startDownload(): Not enough parameters passed

METHOD_GETGAMEUSERPROPERTY: 2 sku param = %s

METHOD_GETGAMEUSERPROPERTY: 4 propName = %s

METHOD_GETGAMEUSERPROPERTY: 5 propValue = %s

config.iwinrequest

debug.buildappcache

qa.setversion

qa.updatecheck

config.channelStartMenuUrl

config.channelDesktopUrl

config.channelIcon

config.channellanguage

gui.showsplash

config.nphase.src

config.nphase

config.uri

config.channel

config.sku

debug.logurldata

debug.ignoreredirect

debug.datafolder

debug.scrollbars

debug.testdata

debug.dumpjs

debug.refreshcache

debug.window

debug.file

Unable to find language, defaulting to %s

channel.cfg

RegMachineInstallGMLocationKeyName

RegMachineInstallGMLocationKeyValue

HKEY_CURRENT_USER\Software\iWinArcade\installRoot

InstallerRequiredRegistryKeyLocation

hXXp://gm/iwin/index.html

ChannelLaunchUrl

KeyCopyRegFolder

c:\games\iWin

RegUserLegacyLoginHID

RegUserLegacyLoginToken

RegUserLegacyLoginName

needsRegKeyCopy

supportsBlazeGames

[ERROR] Failed to start GLWorker for iwin DRM - %s

[iWinDRMReports] AltUserName: %s

[iWinDRMReports] DaysLeft: %s

[iWinDRMReports] Timeleft: %s

* Oberon Channel Setting = %s

* iWin Registry Setting = %s

* Default Setting = %s

* CURRENT SETTING = %s

*.dta

JSon Error Parsing: %s

asset://debugger//index.html

Setting Status: %d

Downloading %s to %s

The requested operation cannot be carried out because the handle supplied is not in the correct state

The type of handle supplied is incorrect for this operation

Not enough memory was available to complete the requested operation. (Windows error code)

WinHttpQueryHeaders GetLastError Returned

Error Not Supported

Error Version Not Supported

Download Read Failure error %d

Download Recieve Failure error %d

User-Agent: %s

|GoogleChrome

\Google\Chrome\User Data\Default

last_chrome_version

Firefox

\Mozilla\Firefox\Profiles

prefs.js

HKLM\SOFTWARE\Mozilla\Mozilla Firefox\CurrentVersion

HKLM\SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox\CurrentVersion

browser.startup.homepage

OFIS - Unable to open file %s due to win32 code %X

DoesFolderExist INVALID_FILE_ATTRIBUTES and GetLastError returned %I for %s

%D/%D/%D

%d.d

InstallKey

ExpireCurrentKey

SetDefaultKey

Launching With CreateProcess Executable: %s

Launching Executable: %s

Using Params: %s

Launching Executable (No Control): %s

Launching via rundll32.exe

url.dll,FileProtocolHandler

HKEY_CURRENT_USER

HKEY_USERS

HKEY_LOCAL_MACHINE

HKEY_CLASSES_ROOT

HKEY_CURRENT_CONFIG

%d-%d-%d %d:%d:%d

Read HKLM\Software\Microsoft\Cryptography\MachineGuid %s

PROFILING: Point (%s) tool %d ms

Windows Version: %d.%d [Build:%d]

SP: %s

Suite Mask: %d

CPU Arch: %d - %s

Logical Processors: %d

Processor Mask: %d

Graphic Device: %s - %s - %d

<--- SEH REPORT FOLLOWS (Code %X) --->

%X - %s

%X - [UNKNOWN]

Process Name: %s

- Context Flags: %X

- Debug Registers: Dr0:%X Dr1:%X Dr2:%X Dr3:%X Dr6:%X Dr7:%X

- FP: ControlWord:%X StatusWord:%X TagWord:%X ErrorOffset:%X ErrorSelector:%X DataOffset:%X DataSelector:%X Cr0npxState:%X

- FPR:%d=%X

FPR:%d=%X

- Segments: Gs:%X Fs:%X Es:%X Ds:%X

- Integers: Edi:%X Esi:%X Ebx:%X Edx:%X Ecx:%X Eax:%X

- Control: Ebp:%X Eip:%X Esp:%X SegSs:%X

- Ext:%d=%X

Ext:%d=%X

Exception Code:%X address:%X flags:%X

- Parameters: %d

- PInfo: %d=%X

<--- VEH REPORT FOLLOWS --->

<--- CRT Terminate Called --->

Line %d in File: %s Function: %s

<--- Failed to allocate enough memory required:%d

- x:%d y%d

xinput9_1_0.dll

libGLESv2.dll

libEGL.dll

icudt.dll

awesomium_process.exe

awesomium.dll

avutil-51.dll

avformat-53.dll

avcodec-53.dll

Checking for file %s : %s

?#%X.y

KERNEL32.dll

GDI32.dll

RegCreateKeyExW

RegQueryInfoKeyW

RegDeleteKeyW

RegOpenKeyExW

RegEnumKeyExW

RegCloseKey

ADVAPI32.dll

SHFileOperationW

ShellExecuteExW

ShellExecuteW

SHELL32.dll

ole32.dll

?spec@WebURL@Awesomium@@QBE?AVWebString@2@XZ

??1WebURL@Awesomium@@QAE@XZ

??0WebConfig@Awesomium@@QAE@XZ

?Create@ResourceResponse@Awesomium@@SAPAV12@IPAEABVWebString@2@@Z

?Assign@WebString@Awesomium@@QAEAAV12@ABV12@@Z

?Assign@WebString@Awesomium@@QAEAAV12@PBG@Z

?data@WebString@Awesomium@@QBEPBGXZ

??1WebString@Awesomium@@QAE@XZ

??0WebString@Awesomium@@QAE@XZ

??0WebString@Awesomium@@QAE@PBG@Z

?Shutdown@WebCore@Awesomium@@SAXXZ

?Initialize@WebCore@Awesomium@@SAPAV12@ABUWebConfig@2@@Z

??1WebConfig@Awesomium@@QAE@XZ

?OnWillDownload@ResourceInterceptor@Awesomium@@UAEXHHABVWebURL@2@@Z

?SetCustomMethod@JSObject@Awesomium@@QAEXABVWebString@2@_N@Z

?Invoke@JSObject@Awesomium@@QAE?AVJSValue@2@ABVWebString@2@ABVJSArray@2@@Z

?SetProperty@JSObject@Awesomium@@QAEXABVWebString@2@ABVJSValue@2@@Z

?ToString@JSValue@Awesomium@@QBE?AVWebString@2@XZ

??0JSValue@Awesomium@@QAE@ABVWebString@1@@Z

?SendResponse@DataSource@Awesomium@@QAEXHIPBEABVWebString@2@@Z

??_7Process@WebViewListener@Awesomium@@6B@

??_7View@WebViewListener@Awesomium@@6B@

??_7Menu@WebViewListener@Awesomium@@6B@

??_7Load@WebViewListener@Awesomium@@6B@

??0WebPreferences@Awesomium@@QAE@XZ

??0WebKeyboardEvent@Awesomium@@QAE@IIJ@Z

??0WebURL@Awesomium@@QAE@ABVWebString@1@@Z

??1WebPreferences@Awesomium@@QAE@XZ

??1Menu@WebViewListener@Awesomium@@MAE@XZ

??1Process@WebViewListener@Awesomium@@MAE@XZ

??1Load@WebViewListener@Awesomium@@MAE@XZ

??1View@WebViewListener@Awesomium@@MAE@XZ

?ToUTF8@WebString@Awesomium@@QBEIPADI@Z

?CreateFromUTF8@WebString@Awesomium@@SA?AV12@PBDI@Z

??AWebMenuItemArray@Awesomium@@QBEABUWebMenuItem@1@I@Z

?size@WebMenuItemArray@Awesomium@@QBEIXZ

??0WebString@Awesomium@@QAE@ABV01@@Z

??1WebMenuItem@Awesomium@@QAE@XZ

??0WebMenuItem@Awesomium@@QAE@ABU01@@Z

WinHttpReceiveResponse

WinHttpSetOption

WinHttpGetIEProxyConfigForCurrentUser

WinHttpSendRequest

WinHttpConnect

WinHttpCloseHandle

WinHttpQueryHeaders

WinHttpSetStatusCallback

WinHttpOpen

WinHttpOpenRequest

WinHttpGetProxyForUrl

WinHttpCrackUrl

WinHttpReadData

WINHTTP.dll

VERSION.dll

PSAPI.DLL

dbghelp.dll

GetCPInfo

zcÁ

.?AVMenu@WebViewListener@Awesomium@@

.?AVProcess@WebViewListener@Awesomium@@

.?AVLoad@WebViewListener@Awesomium@@

.?AVView@WebViewListener@Awesomium@@

.?AVHttpDownload@@

%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\GamesManager.exe

.dJ!E

.I.MZ>

.header {

.footer {

.desc {

if (location.search) {

var parts = location.search.substring(1).split('&');

for (var i = 0; i < parts.length; i  ) {

var nv = parts[i].split('=');

document.getElementById('error_code').innerHTML = "Error "   params.err ;

var appName = params.appname;

if(appName != null && appName.length > 0) {

var el = document.getElementsByName('appname');

for(var i = 0 ; i < el.length ; i  ) {

el[i].innerHTML = appName;

function gotoUrl() {

if(params.faqurl) {

<div class='header'><p id='error_code'>Error %CODE%</p></div>

<p>If all else fails you could attempt to reinstall <span name='appname'>Games Manager</span> by clicking the following address <a href='javascript:gotoUrl();'>F.A.Q</a> <i>Note: Link will open in your normal browser</i></p>

.header {

if (messageData.slice(0, TYPE_EVENT.length) == TYPE_EVENT) {

} else if (messageData.slice(0, TYPE_JS.length) == TYPE_JS) {

function addMessage(msg) {

document.getElementById('debuglog').innerHTML  = msg   "<br/>";

function addJSResult(msg) {

document.getElementById('execlog').innerHTML  = msg   "<br/>";

document.getElementById('eventlog').innerHTML  = eData.toString()   "<br/>";

var elem = document.getElementById(dId);

var elemSym = document.getElementById(dId   "_symbol");

if (elem.style.display == 'block') {

elem.style.display = 'none';

elemSym.innerHTML = '[ ]';

elem.style.display = 'block';

elemSym.innerHTML = '[-]';

var jString = document.getElementById('sendjscript').value;

Debugger.sendMessage('EXECUTE_JAVASCRIPT', jString);

<div class='header'><a href='#' onclick='toggle("execlog");' id='execlog_symbol'>[ ]</a>Execute JS</div>

<div id='execlog' style='display:none;'>

8'8.8495:<:

6064686

11T1k1x1

>&>6>?>]>

77849>9`9

0%1x1

< <$<(<,<0<4<8<

;(<0<6<=<

4L4U4a4

2 252[2}2

: :$:(:,:0:4:8:<:@:

6$=(=,=0=4=

9 <$<(<,<0<

2 2$2(2|2

3 3$3(3,3

? ?$?(?,?0?4?8?<?

5 5(545|5

= =,=\=`=|=

3 3$3(3,30343@4

> >@>`>|>

mscoree.dll

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

nKERNEL32.DLL

WUSER32.DLL

888816666554443

6666554443

!6666554443

-config.channelName="

window.close = function(){ AweView.closeWindow();}

-config.channel=

-config.uri=

-add.gamesExplorer=1

-add.gameDesktop=1

-add.gameStartMenu=1

-add.uninstallProgram=1

-add.uninstallStartMenu=1

-config.channelLanguage=

GMLauncher.exe

-config.gmLauncher="

-config.startMenuIconUrl=

-add.channelStartMenu=1

Webkit Internal Error, closing application

OAutoUpdate Failed to get interface to IBackgroundCopyJobHttpOptions

\/:*?"<>|

CERTKEY_M

CERTID

CERTKEY_

CERT_

rundll32.exe

SupportFlags

\StringFileInfo\xx\%s

The Download Games Manager has encountered an error and needs to close. Please click the 'OK' button below to exit the Games Manager. You may relaunch it from your Start Menu or desktop icon. If this error continues, please click here to submit an error report to our developers.

hXXp://s3.parature.com/ics/support/default.asp?deptID=5816&task=knowledge&questionID=3190

2.2.3.385

GamesManager.exe

awesomium_process.exe_468:

.text

`.rdata

@.data

.rsrc

@.reloc

GetProcessWindowStation

C:\Users\developer\awesomium-1-7\chromium\src\build\Release\awesomium_process.pdb

KERNEL32.dll

awesomium.dll

GetCPInfo

<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>

3A4D4V4q4y4

mscoree.dll

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

KERNEL32.DLL

WUSER32.DLL

%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\awesomium_process.exe

1.7.5.1

awesomium_process.exe

awesomium_process.exe_468_rwx_01C00000_00100000:

PVh%F

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   ugm_installer.exe:1764
   %original file name%.exe:620
   awesomium_process.exe:2036
   GamesManager.exe:1336
   GamesManagerInstaller.exe:228

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Cache\data_1 (9608 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Cache\data_0 (1552 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Cache\data_3 (133211 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Cache\data_2 (33391 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\xinput9_1_0.dll (1856 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Index (784 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\avformat-53.dll (6584 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsp6.tmp (1223012 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\awesomium.dll (662789 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\GamesManager.exe (110155 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\avcodec-53.dll (33633 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\data_0 (1552 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110500670\cdata.dat (12536 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\f_00000a (2392 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Cache\f_000006 (1856 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Cache\f_000005 (784 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Cache\f_000004 (9320 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Cache\f_000003 (1856 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Cache\f_000002 (1552 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Cache\f_000001 (8560 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\f_00000f (1552 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\00000000\channel.ico (784 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsk7.tmp\System.dll (11 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\iWinInstaller.exe (16424 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Cache\f_000008 (784 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\f_000012 (3312 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\f_000013 (6360 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\f_000010 (784 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\f_000011 (9320 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\f_000016 (21216 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\f_000017 (1552 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\f_000014 (8560 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\f_000015 (20416 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\iWinLauncher.exe (16424 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\00000002\cdata.dat (12088 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\GMLauncher.exe (1552 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\11008813\channel.ico (12536 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\QuotaManager (13 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Cache\f_000010 (784 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Cache\f_000011 (9320 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Cache\f_000012 (3312 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Cache\f_000013 (6360 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Cache\f_000014 (8560 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Cache\f_000015 (20416 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Cache\f_000016 (21216 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\f_000001 (5520 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Cache\f_00000f (1552 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\f_000003 (784 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Cache\f_00000d (2392 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Cache\f_00000c (2392 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\f_000004 (9320 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\f_000007 (1552 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\f_000006 (1856 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\f_000009 (1856 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\f_000008 (1552 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\languagestrings.ini (237 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\AEWrapper.dll (784 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Cache\f_00000e (1552 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\f_000002 (8560 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Local Storage\http_client.iplay.com_0.localstorage (784 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\f_000005 (1552 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Cache\f_00000b (5520 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\icudt.dll (324001 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Cache\f_000007 (1856 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\channel.ico (12536 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Cache\f_00000a (1552 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\f_00000c (1856 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\data_3 (133211 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\data_2 (33391 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\data_1 (9608 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\f_00000b (2392 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\f_00000e (1856 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Cache\index (18424 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\f_00000d (784 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\00000000\cdata.dat (12088 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\databases\Databases.db (7 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Cache\f_000009 (1856 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\cdata.dat (12536 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\11008813\cdata.dat (12088 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\libGLESv2.dll (17848 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110402287\channel.ico (15 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\iWinUninstallWrapper.exe (5064 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\libEGL.dll (3616 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\Uninstaller.exe (16424 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\00000002\channel.ico (12088 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\avutil-51.dll (4992 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\index (18424 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\awesomium_process.exe (1552 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110402287\cdata.dat (12088 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\NSISdl.dll (14 bytes)
   %Documents and Settings%\%current user%\Start Menu\Programs\Iplay Games\Play Iplay Games.lnk (2 bytes)
   %Documents and Settings%\%current user%\Desktop\Play Iplay Games.lnk (2 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\GamesManagerInstaller.exe (1202922 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\ftdownload.dat (512 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\System.dll (11 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\iplay.ico (15 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\databases\http_gm_0\1 (4203229 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\databases\http_gm_0\1-journal (4231248 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\f_000011 (1281 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\f_000010 (26 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\f_000013 (673 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\f_000012 (601 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\f_000015 (4185 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\f_000014 (1281 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\f_000017 (35 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\f_000016 (4185 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\f_000018 (38 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\etilqs_vP4MAer2TmLuWqx (326 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\f_00000f (48 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\f_00000d (22 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\f_00000e (50 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\f_00000b (601 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\f_00000c (58 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\f_00000a (601 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\downloads\6899811668702051793.exe (4096187 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Local Storage\http_gm_0.localstorage (299 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\QuotaManager-journal (11066 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\databases\Databases.db-journal (8934 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Cache\f_00000f (48 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Cache\index (3361 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Cache\f_00000d (601 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Cache\f_00000e (40 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Cache\f_00000b (673 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Cache\f_00000c (601 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Cache\f_00000a (40 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cookies-journal (12810 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\index (3361 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Cache\data_0 (45 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Cache\data_1 (1425 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Cache\data_2 (7433 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Cache\data_3 (30812 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\awesomium.log (144 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Cache\f_000010 (26 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Cache\f_000016 (4185 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\f_000006 (53 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\f_000007 (37 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\f_000004 (1281 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\f_000005 (40 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\f_000002 (1281 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\f_000003 (16 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\f_000001 (673 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\f_000008 (40 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\f_000009 (65 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Cache\f_000011 (1281 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\data_0 (123361 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\data_1 (25417 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\data_2 (11657 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\data_3 (33388 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\gm.log (990903 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Local Storage\http_client.iplay.com_0.localstorage (18 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Cache\f_000013 (673 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Cache\f_000012 (601 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Index (32 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Cache\f_000015 (4185 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Cache\f_000014 (1281 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Local Storage\http_gm_0.localstorage-journal (5042 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Cache\f_000008 (22 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Cache\f_000009 (50 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Cache\f_000006 (58 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Cache\f_000007 (65 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Cache\f_000004 (1281 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Cache\f_000005 (16 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Cache\f_000002 (37 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Cache\f_000003 (53 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Cache\f_000001 (1281 bytes)
   %Program Files%\GMInstaller (4 bytes)
   %Program Files%\GMInstaller\ugm_installer.exe (484688 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsy4.tmp\nsProcess.dll (4 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsy4.tmp\StdUtils.dll (26 bytes)
   %Program Files%\GMInstaller\iWinUpgrader.exe (10588 bytes)
   %Program Files%\GMInstaller\iWinLauncher.exe (13785 bytes)

4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.