Trojan.Win32.Swrort.3_da83fc5420 – Adaware

Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: da83fc5420b55ea9f80ab99fd7ac9760

SHA1: 26a3a26605c207bed1598aef771757b672ce27e3

SHA256: 4a56bcbc23cfa9af4f59a4facee3e46dfcb3ab3fdb6bf8295c97882cf372ddfd

SSDeep: 1536:sTXB 5p3Bi HpM4tmJIxqG0/7vd8xUxPpZzm2OcVf2nxqG0/7vdOm:sTs3BxJNmJIxqdLdT/ZzmVZxqdLdN

Size: 100920 bytes

File type: EXE

Platform: WIN32

Entropy: Not Packed

PEID: UPolyXv05_v6

Company: no certificate found

Created at: 2009-02-21 21:46:29

Analyzed on: WindowsXP SP3 32-bit

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

ugm_installer.exe:1764
%original file name%.exe:620
awesomium_process.exe:2036
GamesManager.exe:1336
GamesManagerInstaller.exe:228

The Trojan injects its code into the following process(es):

awesomium_process.exe:468

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process ugm_installer.exe:1764 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Cache\data_1 (9608 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Cache\data_0 (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Cache\data_3 (133211 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Cache\data_2 (33391 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\xinput9_1_0.dll (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Index (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\avformat-53.dll (6584 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp6.tmp (1223012 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\awesomium.dll (662789 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\GamesManager.exe (110155 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\avcodec-53.dll (33633 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\data_0 (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110500670\cdata.dat (12536 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\f_00000a (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Cache\f_000006 (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Cache\f_000005 (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Cache\f_000004 (9320 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Cache\f_000003 (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Cache\f_000002 (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Cache\f_000001 (8560 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\f_00000f (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\00000000\channel.ico (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk7.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\iWinInstaller.exe (16424 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Cache\f_000008 (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\f_000012 (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\f_000013 (6360 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\f_000010 (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\f_000011 (9320 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\f_000016 (21216 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\f_000017 (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\f_000014 (8560 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\f_000015 (20416 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\iWinLauncher.exe (16424 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\00000002\cdata.dat (12088 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\GMLauncher.exe (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\11008813\channel.ico (12536 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\QuotaManager (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Cache\f_000010 (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Cache\f_000011 (9320 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Cache\f_000012 (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Cache\f_000013 (6360 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Cache\f_000014 (8560 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Cache\f_000015 (20416 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Cache\f_000016 (21216 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\f_000001 (5520 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Cache\f_00000f (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\f_000003 (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Cache\f_00000d (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Cache\f_00000c (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\f_000004 (9320 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\f_000007 (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\f_000006 (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\f_000009 (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\f_000008 (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\languagestrings.ini (237 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\AEWrapper.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Cache\f_00000e (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\f_000002 (8560 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Local Storage\http_client.iplay.com_0.localstorage (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\f_000005 (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Cache\f_00000b (5520 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\icudt.dll (324001 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Cache\f_000007 (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\channel.ico (12536 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Cache\f_00000a (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\f_00000c (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\data_3 (133211 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\data_2 (33391 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\data_1 (9608 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\f_00000b (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\f_00000e (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Cache\index (18424 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\f_00000d (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\00000000\cdata.dat (12088 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\databases\Databases.db (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Cache\f_000009 (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\cdata.dat (12536 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\11008813\cdata.dat (12088 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\libGLESv2.dll (17848 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110402287\channel.ico (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\iWinUninstallWrapper.exe (5064 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\libEGL.dll (3616 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\Uninstaller.exe (16424 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\00000002\channel.ico (12088 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\avutil-51.dll (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\index (18424 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\awesomium_process.exe (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110402287\cdata.dat (12088 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsp5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk7.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk7.tmp\System.dll (0 bytes)

The process %original file name%.exe:620 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\NSISdl.dll (14 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Iplay Games\Play Iplay Games.lnk (2 bytes)
%Documents and Settings%\%current user%\Desktop\Play Iplay Games.lnk (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\GamesManagerInstaller.exe (1202922 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\ftdownload.dat (512 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\iplay.ico (15 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\NSISdl.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\ftdownload.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\GamesManagerInstaller.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp (0 bytes)

The process awesomium_process.exe:468 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\databases\http_gm_0\1 (4203229 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\databases\http_gm_0\1-journal (4231248 bytes)

The process GamesManager.exe:1336 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\f_000011 (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\f_000010 (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\f_000013 (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\f_000012 (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\f_000015 (4185 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\f_000014 (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\f_000017 (35 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\f_000016 (4185 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\f_000018 (38 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\etilqs_vP4MAer2TmLuWqx (326 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\f_00000f (48 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\f_00000d (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\f_00000e (50 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\f_00000b (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\f_00000c (58 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\f_00000a (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\downloads\6899811668702051793.exe (4096187 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Local Storage\http_gm_0.localstorage (299 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\QuotaManager-journal (11066 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\QuotaManager (1899 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\databases\Databases.db-journal (8934 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Cache\f_00000f (48 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Cache\index (3361 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Cache\f_00000d (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Cache\f_00000e (40 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Cache\f_00000b (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Cache\f_00000c (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Cache\f_00000a (40 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cookies-journal (12810 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\index (3361 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Cache\data_0 (45 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Cache\data_1 (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Cache\data_2 (7433 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Cache\data_3 (30812 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\awesomium.log (144 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Cache\f_000010 (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Cache\f_000016 (4185 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\f_000006 (53 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\f_000007 (37 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\f_000004 (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\f_000005 (40 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\f_000002 (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\f_000003 (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\f_000001 (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cookies (1343 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\f_000008 (40 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\f_000009 (65 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Cache\f_000011 (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\data_0 (123361 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\data_1 (25417 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\data_2 (11657 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\data_3 (33388 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\gm.log (990903 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Local Storage\http_client.iplay.com_0.localstorage (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Cache\f_000013 (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Cache\f_000012 (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Index (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Cache\f_000015 (4185 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Cache\f_000014 (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Local Storage\http_gm_0.localstorage-journal (5042 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\databases\Databases.db (881 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Cache\f_000008 (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Cache\f_000009 (50 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Cache\f_000006 (58 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Cache\f_000007 (65 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Cache\f_000004 (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Cache\f_000005 (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Cache\f_000002 (37 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Cache\f_000003 (53 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Cache\f_000001 (1281 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\QuotaManager-journal (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cookies-journal (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\databases\Databases.db-journal (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\databases\http_gm_0\1-journal (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Local Storage\http_gm_0.localstorage-journal (0 bytes)

The process GamesManagerInstaller.exe:228 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Program Files%\GMInstaller (4 bytes)
%Program Files%\GMInstaller\ugm_installer.exe (484688 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy4.tmp\nsProcess.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy4.tmp\StdUtils.dll (26 bytes)
%Program Files%\GMInstaller\iWinUpgrader.exe (10588 bytes)
%Program Files%\GMInstaller\iWinLauncher.exe (13785 bytes)

The Trojan deletes the following file(s):

%Program Files%\GMInstaller\ugm_installer.exe (0 bytes)
%Program Files%\GMInstaller (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy4.tmp\nsProcess.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy4.tmp\StdUtils.dll (0 bytes)
%Program Files%\GMInstaller\iWinUpgrader.exe (0 bytes)
%Program Files%\GMInstaller\iWinLauncher.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3.tmp (0 bytes)

Registry activity

The process ugm_installer.exe:1764 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "14 BF 7F E9 7D 21 B3 7E A3 BD 85 C4 BB CA 8C CF"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\GamesManager]
"EstimatedSize" = "54584"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\GamesManager]
"UninstallString" = "%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\Uninstaller.exe -config.channelName= -config.channel= -config.sku= -config.channelDesktopIcon="

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\GamesManager]
"DisplayName" = "Games Manager"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\GamesManager]
"DisplayVersion" = "2.2.3.385"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Oberon Media\GamesManagerInstaller]
"Installer Language" = "1033"

[HKCU\Software\Oberon Media\GamesManager]
"ChannelLanguage" = "en"
"EXE" = "%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\GamesManager.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\GamesManager]
"QuietUninstallString" = "%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\Uninstaller.exe /S -config.channelName= -config.channel= -config.sku= -config.channelDesktopIcon="
"DisplayIcon" = "%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\Uninstaller.exe"
"Publisher" = "iWin Inc."

The process %original file name%.exe:620 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B9 0B C1 D8 10 E7 08 40 DD 23 A6 9F 8E 05 65 FF"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKCU\Software\Oberon Media\GamesManager\110341560\shortcuts]
"DesktopShortcut" = "%Documents and Settings%\%current user%\Desktop\Play Iplay Games.lnk"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Oberon Media\GamesManager\110341560\shortcuts]
"StartMenuShortcut" = "%Documents and Settings%\%current user%\Start Menu\Programs\Iplay Games\Play Iplay Games.lnk"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

The process awesomium_process.exe:2036 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "38 34 2C 5E 96 32 FF 00 6A 7A 50 3B 01 36 EA 60"

[HKCU\Software\Microsoft\Direct3D\MostRecentApplication]
"Name" = "awesomium_process.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\DirectX\XInput\XInputDebugGuid]
"BitNames" = " GXIC_ENUM GXIC_DEVINFO GXIC_DEVLIST GXIC_DRIVERCOMM GXIC_API GXIC_CORE GXIC_HOOKS GXIC_COMMON"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\DirectX\XInput]
"LogSessionName" = "stdout"
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\DirectX\XInput\XInputDebugGuid]
"Guid" = "7c830ece-5fb3-417a-a1bd-508f45277356"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\DirectX\XInput]
"ControlFlags" = "1"

The process awesomium_process.exe:468 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "05 04 A0 09 3C BD 7B 18 E1 BA 2C BC 6F 60 98 DF"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\DirectX\XInput\XInputDebugGuid]
"BitNames" = " GXIC_ENUM GXIC_DEVINFO GXIC_DEVLIST GXIC_DRIVERCOMM GXIC_API GXIC_CORE GXIC_HOOKS GXIC_COMMON"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\DirectX\XInput]
"LogSessionName" = "stdout"
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\DirectX\XInput\XInputDebugGuid]
"Guid" = "7c830ece-5fb3-417a-a1bd-508f45277356"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\DirectX\XInput]
"ControlFlags" = "1"

The process GamesManager.exe:1336 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C0 1D A8 DC 5B 4C 79 2A F5 B4 53 8F CC 21 C9 4C"

[HKCU\Software\Oberon Media\GamesManager\110341560\Settings]
"InstallLocation" = "c:\games\Iplay Games"

[HKCU\Software\Oberon Media\GamesManager\110341560\Downloads\6899811668702051793]
"LocalUri" = "%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\downloads\6899811668702051793.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKCU\Software\Oberon Media\GamesManager\110341560\Downloads\6899811668702051793]
"StartedAt" = "Type: REG_QWORD, Length: 8"

[HKCU\Software\IplayArcade]
"firstTimeAID" = "0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\DirectX\XInput\XInputDebugGuid]
"BitNames" = " GXIC_ENUM GXIC_DEVINFO GXIC_DEVLIST GXIC_DRIVERCOMM GXIC_API GXIC_CORE GXIC_HOOKS GXIC_COMMON"

[HKCU\Software\Oberon Media\GamesManager\110341560\Downloads\6899811668702051793]
"Name" = "IGT Slots Kitty Glitter"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Oberon Media\GamesManager\110341560\Downloads\6899811668702051793]
"DrmType" = "IWIN"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Oberon Media\GamesManager\110341560\Downloads\6899811668702051793]
"Uri" = "http://download.iwincdn.com/gg/pf/iwin/6899811668702051793/acd_-1m_pogoiwin_gas/iwin/IGTSlotsKittyGlitterSetup.exe"

[HKCU\Software\IplayArcade]
"installroot" = "c:\games\Iplay Games"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\DirectX\XInput]
"LogSessionName" = "stdout"
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\DirectX\XInput\XInputDebugGuid]
"Guid" = "7c830ece-5fb3-417a-a1bd-508f45277356"

[HKCU\Software\Oberon Media\GamesManager\110341560\Downloads\6899811668702051793]
"Priority" = "1"
"Content-Size" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\DirectX\XInput]
"ControlFlags" = "1"

The process GamesManagerInstaller.exe:228 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BC 57 91 63 22 B0 3E 3B 92 3D 44 07 14 51 83 3A"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\GMInstaller]
"ugm_installer.exe" = "Download Games Manager Installer"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Dropped PE files

MD5	File path
04cfa0c4f90e6b712705ab6e86cbdb2b	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\GamesManager\AEWrapper.dll
867cfba84cc0789a809886211bba3013	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\GamesManager\GMLauncher.exe
faf0de7e86c836ba7143180bc016cb70	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\GamesManager\GamesManager.exe
aa39a9eefb9c6d31b5b713fb1cef221e	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\GamesManager\Uninstaller.exe
3b0b3b0df088cacd91a116af38d67f37	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\GamesManager\avcodec-53.dll
9b705b19d16f3d35e5175c0a304e06bd	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\GamesManager\avformat-53.dll
5d25e492836df0ae8b869ef9077f1ca8	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\GamesManager\avutil-51.dll
91bbf94eb4493d7da15f237143c720cd	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\GamesManager\awesomium.dll
3872fb58554a9429eb26cc51314f9010	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\GamesManager\awesomium_process.exe
441729c120bc3c322a74dee5f246b32e	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\GamesManager\iWinInstaller.exe
7592558f15cb025c704031aeeed498ca	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\GamesManager\iWinLauncher.exe
c93f868c160949940e7b098e1df182c8	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\GamesManager\iWinUninstallWrapper.exe
694570c2c8dfcc4942bc11da39981252	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\GamesManager\icudt.dll
583eec7bbb5882e58da2bdfa12f91f1f	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\GamesManager\libEGL.dll
0da72e655f7241acb663518d55a747cf	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\GamesManager\libGLESv2.dll
adfb6d7b61e301761c700652b6fe7ccd	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\GamesManager\xinput9_1_0.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):
ugm_installer.exe:1764
%original file name%.exe:620
awesomium_process.exe:2036
GamesManager.exe:1336
GamesManagerInstaller.exe:228
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Cache\data_1 (9608 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Cache\data_0 (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Cache\data_3 (133211 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Cache\data_2 (33391 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\xinput9_1_0.dll (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Index (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\avformat-53.dll (6584 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp6.tmp (1223012 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\awesomium.dll (662789 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\GamesManager.exe (110155 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\avcodec-53.dll (33633 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\data_0 (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110500670\cdata.dat (12536 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\f_00000a (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Cache\f_000006 (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Cache\f_000005 (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Cache\f_000004 (9320 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Cache\f_000003 (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Cache\f_000002 (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Cache\f_000001 (8560 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\f_00000f (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\00000000\channel.ico (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk7.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\iWinInstaller.exe (16424 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Cache\f_000008 (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\f_000012 (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\f_000013 (6360 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\f_000010 (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\f_000011 (9320 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\f_000016 (21216 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\f_000017 (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\f_000014 (8560 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\f_000015 (20416 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\iWinLauncher.exe (16424 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\00000002\cdata.dat (12088 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\GMLauncher.exe (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\11008813\channel.ico (12536 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\QuotaManager (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Cache\f_000010 (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Cache\f_000011 (9320 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Cache\f_000012 (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Cache\f_000013 (6360 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Cache\f_000014 (8560 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Cache\f_000015 (20416 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Cache\f_000016 (21216 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\f_000001 (5520 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Cache\f_00000f (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\f_000003 (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Cache\f_00000d (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Cache\f_00000c (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\f_000004 (9320 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\f_000007 (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\f_000006 (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\f_000009 (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\f_000008 (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\languagestrings.ini (237 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\AEWrapper.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Cache\f_00000e (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\f_000002 (8560 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Local Storage\http_client.iplay.com_0.localstorage (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\f_000005 (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Cache\f_00000b (5520 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\icudt.dll (324001 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Cache\f_000007 (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\channel.ico (12536 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Cache\f_00000a (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\f_00000c (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\data_3 (133211 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\data_2 (33391 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\data_1 (9608 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\f_00000b (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\f_00000e (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Cache\index (18424 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\f_00000d (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\00000000\cdata.dat (12088 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\databases\Databases.db (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\AppCache\Cache\f_000009 (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\cdata.dat (12536 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\11008813\cdata.dat (12088 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\libGLESv2.dll (17848 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110402287\channel.ico (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\iWinUninstallWrapper.exe (5064 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\libEGL.dll (3616 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\Uninstaller.exe (16424 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\00000002\channel.ico (12088 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\avutil-51.dll (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\defaultappcache\Cache\index (18424 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\awesomium_process.exe (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110402287\cdata.dat (12088 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\NSISdl.dll (14 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Iplay Games\Play Iplay Games.lnk (2 bytes)
%Documents and Settings%\%current user%\Desktop\Play Iplay Games.lnk (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\GamesManagerInstaller.exe (1202922 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\ftdownload.dat (512 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\iplay.ico (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\databases\http_gm_0\1 (4203229 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\databases\http_gm_0\1-journal (4231248 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\f_000011 (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\f_000010 (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\f_000013 (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\f_000012 (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\f_000015 (4185 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\f_000014 (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\f_000017 (35 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\f_000016 (4185 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\f_000018 (38 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\etilqs_vP4MAer2TmLuWqx (326 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\f_00000f (48 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\f_00000d (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\f_00000e (50 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\f_00000b (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\f_00000c (58 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\f_00000a (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\downloads\6899811668702051793.exe (4096187 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Local Storage\http_gm_0.localstorage (299 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\QuotaManager-journal (11066 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\databases\Databases.db-journal (8934 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Cache\f_00000f (48 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Cache\index (3361 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Cache\f_00000d (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Cache\f_00000e (40 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Cache\f_00000b (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Cache\f_00000c (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Cache\f_00000a (40 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cookies-journal (12810 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\index (3361 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Cache\data_0 (45 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Cache\data_1 (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Cache\data_2 (7433 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Cache\data_3 (30812 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\awesomium.log (144 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Cache\f_000010 (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Cache\f_000016 (4185 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\f_000006 (53 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\f_000007 (37 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\f_000004 (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\f_000005 (40 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\f_000002 (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\f_000003 (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\f_000001 (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\f_000008 (40 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\f_000009 (65 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Cache\f_000011 (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\data_0 (123361 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\data_1 (25417 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\data_2 (11657 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Cache\data_3 (33388 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\gm.log (990903 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Local Storage\http_client.iplay.com_0.localstorage (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Cache\f_000013 (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Cache\f_000012 (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Index (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Cache\f_000015 (4185 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Cache\f_000014 (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\Local Storage\http_gm_0.localstorage-journal (5042 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Cache\f_000008 (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Cache\f_000009 (50 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Cache\f_000006 (58 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Cache\f_000007 (65 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Cache\f_000004 (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Cache\f_000005 (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Cache\f_000002 (37 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Cache\f_000003 (53 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\110341560\webdata\AppCache\Cache\f_000001 (1281 bytes)
%Program Files%\GMInstaller (4 bytes)
%Program Files%\GMInstaller\ugm_installer.exe (484688 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy4.tmp\nsProcess.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy4.tmp\StdUtils.dll (26 bytes)
%Program Files%\GMInstaller\iWinUpgrader.exe (10588 bytes)
%Program Files%\GMInstaller\iWinLauncher.exe (13785 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	22734	23040	4.45882	d8b9f6df4b5b3fcd3dffcc9892202f91
.rdata	28672	4496	4608	3.58804	0f7b157b78f399340e80aa07581634eb
.data	36864	110456	1024	3.20268	ef5b4d57f84d649e1a84fe60909e0d0b
.ndata	147456	32768	0	0	d41d8cd98f00b204e9800998ecf8427e
.rsrc	180224	16952	17408	3.71886	283fee0eec02ea59d79ee1763a97e770

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 25
681ddd51508325855abeafdd834fb6ad
0a4c1c9628a93bfb0ebdb0a641fcb112
d38b1c301af57328f7bf9e8f51354e3d
a8de930234cd7c64e863cb5f67292f07
4fc266d80a46bfa7260718af997a95e1
4284dd5c152c6ea74b600909c19e5ebc
c1253e737846820d03a9c8059686a00f
eeb31f9ffc8957d09688a2efb8f30ee9
b0107b530eb46286ae8b754be5057958
db8964c20ad0fc0c590883251ed65cee
f7cac007a484ebd17b75b9dedb0663af
2de752d345e3ed868ce4bc8ab0e312df
de73acea0f1aaf521d93366d71ed8ede
43aca91657cb369214c13f192e7f866c
1fa21478c981aa3b2709807bc1e52ee7
434a91e68ebbd175e091c23e4b4d5e79
42a3e411846ea677a04aa881740e5ec2
9fcc6c6be157fd8618530548abb26ae0
5f7e9d52ddf3df979a4eeb7d22d45c15
cbef3fe5d37c8869edad0a9fcbe4bdba
0ba1e28250c83440c77bdf26e1561f23
27c57560bc519439595813346499e111
6be915d596f4acdc524fecc6697c82e1
f1c5eb7aa52d3b566a75ceed2bf040a3
5c0a20ded1393b5cde632d11f311845e

Network Activity

URLs

URL	IP
hxxp://stamp-vpc-aws-iwin-com-1981998893.us-east-1.elb.amazonaws.com/games/GamesManagerInstaller.exe
hxxp://iplay-iwin-com-65257455.us-east-1.elb.amazonaws.com/gm-config
hxxp://iplay-iwin-com-65257455.us-east-1.elb.amazonaws.com/catalog/html/firstinstall/firstinstall-iplay.html
hxxp://iplay-iwin-com-65257455.us-east-1.elb.amazonaws.com/catalog/html/firstinstall/styles/firstinstall-iplay.css
hxxp://code.jquery.netdna-cdn.com/jquery-1.11.1.min.js
hxxp://iplay-iwin-com-65257455.us-east-1.elb.amazonaws.com/scripts/common/utils-ours/iwinutils.js
hxxp://iplay-iwin-com-65257455.us-east-1.elb.amazonaws.com/catalog/html/firstinstall/scripts/firstinstall.js
hxxp://iplay-iwin-com-65257455.us-east-1.elb.amazonaws.com/games/6898022281323102055.xml
hxxp://iplay-iwin-com-65257455.us-east-1.elb.amazonaws.com/catalog/html/firstinstall/images/iplay-icon.png
hxxp://iplay-iwin-com-65257455.us-east-1.elb.amazonaws.com/catalog/html/firstinstall/images/pause.jpg
hxxp://iplay-iwin-com-65257455.us-east-1.elb.amazonaws.com/catalog/html/firstinstall/images/stop.jpg
hxxp://iplay-iwin-com-65257455.us-east-1.elb.amazonaws.com/catalog/html/firstinstall/images/iplay-submit.png
hxxp://cs230.wac.edgecastcdn.net/images/product/6899811668702051793/fea_3.jpg
hxxp://iplay-iwin-com-65257455.us-east-1.elb.amazonaws.com/services/dlog?act=start&gid=6899811668702051793&sid=6898022281323102055&hid=75ed9567-aa58-4c8e-a8ea-3cad7c47ab03&lid=42&aid=42&pid=0&allaccess=0&ft=0
hxxp://gs1.wpc.v1cdn.net/gg/pf/iwin/6899811668702051793/acd_-1m_pogoiwin_gas/iwin/IGTSlotsKittyGlitterSetup.exe
hxxp://gm-iplay.iwin.com/gm-config	52.1.171.52
hxxp://gm-iplay.iwin.com/games/6898022281323102055.xml	52.1.171.52
hxxp://static.iwincdn.com/images/product/6899811668702051793/fea_3.jpg	68.232.35.54
hxxp://gm-iplay.iwin.com/catalog/html/firstinstall/images/iplay-submit.png	52.1.171.52
hxxp://gm-iplay.iwin.com/scripts/common/utils-ours/iwinutils.js	52.1.171.52
hxxp://gm-iplay.iwin.com/catalog/html/firstinstall/styles/firstinstall-iplay.css	52.1.171.52
hxxp://gm-iplay.iwin.com/catalog/html/firstinstall/images/pause.jpg	52.1.171.52
hxxp://gm-iplay.iwin.com/catalog/html/firstinstall/firstinstall-iplay.html	52.1.171.52
hxxp://gm-iplay.iwin.com/catalog/html/firstinstall/images/stop.jpg	52.1.171.52
hxxp://gm-iplay.iwin.com/catalog/html/firstinstall/images/iplay-icon.png	52.1.171.52
hxxp://dl.iwin.com/games/GamesManagerInstaller.exe	52.5.235.230
hxxp://gm-iplay.iwin.com/catalog/html/firstinstall/scripts/firstinstall.js	52.1.171.52
hxxp://code.jquery.com/jquery-1.11.1.min.js	94.31.29.53
hxxp://ws-iplay.iwin.com/services/dlog?act=start&gid=6899811668702051793&sid=6898022281323102055&hid=75ed9567-aa58-4c8e-a8ea-3cad7c47ab03&lid=42&aid=42&pid=0&allaccess=0&ft=0	54.165.62.167
hxxp://download.iwincdn.com/gg/pf/iwin/6899811668702051793/acd_-1m_pogoiwin_gas/iwin/IGTSlotsKittyGlitterSetup.exe	93.184.221.131

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /games/GamesManagerInstaller.exe HTTP/1.0

Host: dl.iwin.com

User-Agent: NSISDL/1.2 (Mozilla)

Accept: */*

HTTP/1.1 200 OK

Accept-Ranges: bytes

Cache-Control: max-age=14400

Content-Type: application/x-msdos-program

Date: Wed, 02 Dec 2015 00:39:53 GMT

Expires: Wed, 02 Dec 2015 04:39:53 GMT

Last-Modified: Mon, 30 Nov 2015 17:25:32 GMT

Server: Apache/2.2.22 (Ubuntu) mod_perl/2.0.5 Perl/v5.14.2

Content-Length: 15590928

Connection: Close

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................t...z...B...8............@..........................`......0.....@.................................@........@..8....................`.......................................................................................text....r.......t.................. ..`.rdata..n .......,...x..............@..@.data.... ..........................@....ndata...P...............................rsrc...8....@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H......G..H.P.u..u..u.....@..K...SV.5..G.W.E.P.u.....@..e...E..E.P.u.....@..}..e....D.@........FR..VV..U... M..........M........E...FQ.....NU..M.......M...VT..U........FP..E...............E.P.M...H.@..E..P.E..E.P.u.....@..u....E..9}...n....~X.te.v4..L.@..E...tU.}.j.W.E......E.......P.@..vXW..T.@..u..5X.@.W..h ....E..E.Pj.h.jG.W....@..u.W...u....E.P.u.....@._^3.[.....L$....G...i. @...T.....tUVW.q.3.;5..G.sD..i. @...D..S.....t.G.....t...O..t .....u...3....3...F. @..;5..G.r.[_^...U..QQ

<<< skipped >>>

GET /images/product/6899811668702051793/fea_3.jpg HTTP/1.1

Host: static.iwincdn.com

Connection: keep-alive

User-Agent: NextDM/2.2.3.385 AppleWebKit/535.19 (KHTML, like Gecko) GamesManager/2.2.3.385

Accept: */*

Referer: hXXp://gm/iwin/index.html

Accept-Encoding: gzip,deflate

Accept-Language: en-us,en

Accept-Charset: iso-8859-1,*,utf-8

HTTP/1.1 200 OK

Accept-Ranges: bytes

Cache-Control: max-age=86400, s-maxage=2592000

Content-Type: image/jpeg

Date: Wed, 02 Dec 2015 00:40:44 GMT

Etag: "554a74109edf70ccb6c815c7f99ec07d"

Last-Modified: Thu, 01 May 2014 17:15:00 GMT

Server: ECS (rtm/35A1)

Via: 1.1 origin.iwincdn.com

Via: 1.1 varnish

x-amz-id-2: /pAq6EKcg18VMtz6Aozv84F6HhmPFbhr lRGcMUEH CT4fd5FQJWI5UoopmSV6yl

x-amz-request-id: C00C8F56B7581731

X-Cache: HIT

X-Varnish: 340174587

Content-Length: 4079

......Exif..II*.................Ducky.......<.....ihXXp://ns.adobe.com/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c061 64.140949, 2010/12/07-10:57:01 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="uuid:87D9216DB1DEDB118DD6C85E432DE6E7" xmpMM:DocumentID="xmp.did:A6BEFC2CCBEA11E2854FF4E057693325" xmpMM:InstanceID="xmp.iid:A6BEFC2BCBEA11E2854FF4E057693325" xmp:CreatorTool="Adobe Photoshop CS4 Macintosh"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:F87F117407206811A7C6B7FCD737E99F" stRef:documentID="uuid:87D9216DB1DEDB118DD6C85E432DE6E7"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>....Adobe.d.................................................................................................................................................>.a............................................................................................!1.AQ"2a....q.#.....BRbs.D5U......$..7........................!1AQaqR.......2#..."Bb3$............?.........j.n....y...qE,GmD......S..8q'.o....!c...5.j...:....Ymj.}.wN...t.D.j..P..f..8Z.u.D.j......./.v?...X........}.....%.V.......>.]..%.V..@..n.. ..D.j.............._.a-..}.wN...t...~......7t....._.a

<<< skipped >>>

GET /gm-config HTTP/1.1

Host: gm-iplay.iwin.com

Connection: keep-alive

Cache-Control: max-age=0

If-Modified-Since: Sat, 1 Jan 2005 00:00:00 GMT

User-Agent: NextDM/2.2.3.385 AppleWebKit/535.19 (KHTML, like Gecko) GamesManager/2.2.3.385

Accept: */*

Referer: hXXp://gm/iwin/index.html

Accept-Encoding: gzip,deflate

Accept-Language: en-us,en

Accept-Charset: iso-8859-1,*,utf-8

HTTP/1.1 200 OK

Accept-Ranges: bytes

Age: 1429

Cache-Control: max-age=7200

Content-Type: application/xml;charset=utf-8

Date: Wed, 02 Dec 2015 00:40:43 GMT

Last-Modified: Sun, 17 Aug 292278994 07:12:55 GMT

P3P: CP="NOI CURo ADMo DEVo TAIo OUR NOR IND COM NAV"

Server: nginx/1.1.19

Vary: iWin-App, Accept

Via: 1.1 varnish

X-Varnish: 2144618854 2144611444

Content-Length: 4888

Connection: keep-alive

<?xml version="1.0" encoding="utf-8"?><gm-url-config xmlns="http://VVV.iwin.com/schemas/catalog" xmlns:xsi="hXXp://VVV.w3.org/2001/XMLSchema-instance"><site-host>iplay.iwin.com</site-host><gm-host>gm-iplay.iwin.com</gm-host><url-signin>https://gm-iplay.iwin.com/Login.do</url-signin><url-about-icoins>hXXp://gm-iplay.iwin.com/membership</url-about-icoins><url-my-account>hXXps://gm-iplay.iwin.com/account/icoins</url-my-account><url-signout>hXXps://gm-iplay.iwin.com/Logout.do</url-signout><url-search>hXXp://gm-iplay.iwin.com/search?q=</url-search><url-part-rawInfo>/arcade/rawinfo/</url-part-rawInfo><url-update-arcade>hXXp://gm-iplay.iwin.com/dgu?game=ARCD&ver=</url-update-arcade><url-update-game>hXXp://gm-iplay.iwin.com/dgu?game=</url-update-game><url-ws-services-slog>hXXp://ws-iplay.iwin.com/services/slog?</url-ws-services-slog><url-ws-services-dlog>hXXp://ws-iplay.iwin.com/services/dlog?act=</url-ws-services-dlog><url-ws-services-ulog>hXXp://ws-iplay.iwin.com/services/ulog?lid=</url-ws-services-ulog><url-ws-icoins>hXXp://gm-iplay.iwin.com/account/icoins-safe.xml;jsessionid=%s</url-ws-icoins><url-part-more-game>/calendar/games/new</url-part-more-game><url-part-top-game>hXXp://gm-iplay.iwin.com/arcade/home</url-part-top-game><url-part-ad1>/arcade/panel/bottom</url-part-ad1><url-part-ad2>/arcad

<<< skipped >>>

GET /catalog/html/firstinstall/firstinstall-iplay.html HTTP/1.1

Host: gm-iplay.iwin.com

Connection: keep-alive

User-Agent: NextDM/2.2.3.385 AppleWebKit/535.19 (KHTML, like Gecko) GamesManager/2.2.3.385

Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8

Referer: hXXp://gm/iwin/index.html

Accept-Encoding: gzip,deflate

Accept-Language: en-us,en

Accept-Charset: iso-8859-1,*,utf-8

HTTP/1.1 200 OK

Accept-Ranges: bytes

Age: 0

Content-Encoding: gzip

Content-Type: text/html

Date: Wed, 02 Dec 2015 00:40:43 GMT

ETag: W/"3119-1448528502000"

Last-Modified: Thu, 26 Nov 2015 09:01:42 GMT

Server: nginx/1.1.19

Via: 1.1 varnish

X-Varnish: 2009849561

Content-Length: 1176

Connection: keep-alive

...........V[o.6.~^........e}.d...l).,m=t{.h..fL.*I....!)9.-..6#.H....;..........X.Z...?...B.2.......5..............'........./Y9..bl..f...6K6{.>{. ..-S7x.U.J....T..|.....i..P.l ..0..r.0..c.qUq..2. -.r...<R.i.!.^..Nb..e.k.Y..a...j......D.Bt.........:.H...h$.e....]....g...u.....\W..2.4.q`MI..RW.=~j....Y\.W...e.P....G...")r.W'.O._m..o^.....!JO.ZHQ.o.......:=..K...V.uB.T..2..*l.....G.z9.I..-_...f..>8..F%6 .I........r.....I...8..o...z....V.w..p..Jj^./.F.o."M.E.........F..B...-.\.r ..xY.....2`U.4V..4.)W..f.!..(.r....).voI..9....9kFt........S#>...z..%j2."..SA/.F-...M..r.t.._..y..........-.x ..<J........{.1z#..x......O..C..E... .5.d.|F..z%.9...b.k....Q-.p.lb......R.bOc.......b..r...' .%.Z.s..l...........E.Y......Q.....^PY...u...T6J81.P.1Y..Z*tM......b{..!...^H.^.s.:.i.4..~{,..}..1.<.3..V.shFb.kL......E..6u..=.-.Q..2O..}|,....A,..!...H..[.5.-.9u...........h/.rD.b..K....K"...=..Tk*.........!...$.?..r..(...$...SmM.[...._.,\9M.....2...'....3..I....QG.t .....H...........hT...u...-Y{..?......s.db....kA..o.6.Cx.....2c.i...r.P.....T."......A*"..P>.x(..U.....(.".../...t..s.q....e..i'.i.6M.}..5.:-.FS...t3....%R[.kN..:)...........5.:.rs.AGG...M........\..<..s..X.JaR....../.......

GET /catalog/html/firstinstall/styles/firstinstall-iplay.css HTTP/1.1

Host: gm-iplay.iwin.com

Connection: keep-alive

User-Agent: NextDM/2.2.3.385 AppleWebKit/535.19 (KHTML, like Gecko) GamesManager/2.2.3.385

Accept: text/css,*/*;q=0.1

Referer: hXXp://gm-iplay.iwin.com/catalog/html/firstinstall/firstinstall-iplay.html

Accept-Encoding: gzip,deflate

Accept-Language: en-us,en

Accept-Charset: iso-8859-1,*,utf-8

HTTP/1.1 200 OK

Accept-Ranges: bytes

Age: 0

Content-Type: text/css

Date: Wed, 02 Dec 2015 00:40:44 GMT

ETag: W/"2225-1448528502000"

Last-Modified: Thu, 26 Nov 2015 09:01:42 GMT

Server: nginx/1.1.19

Via: 1.1 varnish

X-Varnish: 2009849565

Content-Length: 2225

Connection: keep-alive

html,body {. margin: 0;. background: #fff;. font-family: helvetica,arial,verdana,sans-serif;. color: #3c3c3c;.}..#content {. width: 1000px;. margin: 0 auto;. overflow: hidden;. line-height: normal;.}..#content p {. line-height: 20px;. margin: 12px 0;.}...welcome {. width: 280px;. float: left;. padding: 30px 20px 0;. font-size: 14px;.}...downloadQueue, .newsletter {. float: left;. width: 295px;. padding: 30px 20px;. font-size: 14px;.}...welcome h2 {. color: #000;. font-size: 20px;. font-weight: normal;. margin-bottom: 12px;.}...welcome #iplayGamesIcon {. display: inline-block;.}..welcome #iplayGamesIcon img {. float: left; . margin: 0 5px 0 0;.}...welcome #iplayGamesIcon #note {. width: 210px;. float: right;. font-size: 12px;. line-height: 16px;. margin-top: 2px;.}...section {. border-left: 1px solid #ddd;. min-height: 310px;.}...section h2 {. color: #fff;. font-size: 18px;. line-height: 50px;. background: #811414;. height: 47px;. text-align: center;. vertical-align: middle;. margin-bottom: 0;.}...sectionContent {. border: 1px solid #ddd;. padding: 0 11px 0 15px;. min-height: 260px;.}...section #newsletterForm .error {. position: relative;. margin: 10px 0;. padding: 10px 10px 10px 40px;. color: #ff0000;. border: 1px solid #ff0000;. font-weight: bold;. border-radius: 6px;.}..section #newsletterForm .error i {. position: absolute;. top: 50%;. margin: -10px 5

<<< skipped >>>

GET /catalog/html/firstinstall/images/pause.jpg HTTP/1.1

Host: gm-iplay.iwin.com

Connection: keep-alive

User-Agent: NextDM/2.2.3.385 AppleWebKit/535.19 (KHTML, like Gecko) GamesManager/2.2.3.385

Accept: */*

Referer: hXXp://gm-iplay.iwin.com/catalog/html/firstinstall/firstinstall-iplay.html

Accept-Encoding: gzip,deflate

Accept-Language: en-us,en

Accept-Charset: iso-8859-1,*,utf-8

HTTP/1.1 200 OK

Accept-Ranges: bytes

Age: 0

Content-Type: image/jpeg

Date: Wed, 02 Dec 2015 00:40:44 GMT

ETag: W/"1314-1448528502000"

Last-Modified: Thu, 26 Nov 2015 09:01:42 GMT

Server: nginx/1.1.19

Via: 1.1 varnish

X-Varnish: 2144618864

Content-Length: 1314

Connection: keep-alive

......Exif..II*.................Ducky.......<..... hXXp://ns.adobe.com/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c061 64.140949, 2010/12/07-10:57:01 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS5.1 Windows" xmpMM:InstanceID="xmp.iid:F14B3D15F8A911E19DA88B900A91E56E" xmpMM:DocumentID="xmp.did:F14B3D16F8A911E19DA88B900A91E56E"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:F14B3D13F8A911E19DA88B900A91E56E" stRef:documentID="xmp.did:F14B3D14F8A911E19DA88B900A91E56E"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>....Adobe.d.................................................................................................................................................................s...................................................................!....QAa."Rr.#.4DE........................A"..............?.......r.".s*.4[.....V.Pn`..&..o)...x=m...c............"...........!..p.Xq.9.yDo..uY..."Pl.....qS.IBOMl.oz.7N..w..o...mkr.1..k^.~^......Pa..<6n..[....._.....

<<< skipped >>>

GET /jquery-1.11.1.min.js HTTP/1.1

Host: code.jquery.com

Connection: keep-alive

User-Agent: NextDM/2.2.3.385 AppleWebKit/535.19 (KHTML, like Gecko) GamesManager/2.2.3.385

Accept: */*

Referer: hXXp://gm-iplay.iwin.com/catalog/html/firstinstall/firstinstall-iplay.html

Accept-Encoding: gzip,deflate

Accept-Language: en-us,en

Accept-Charset: iso-8859-1,*,utf-8

HTTP/1.1 200 OK

Date: Wed, 02 Dec 2015 00:40:44 GMT

Content-Type: application/javascript; charset=utf-8

Transfer-Encoding: chunked

Connection: keep-alive

Last-Modified: Fri, 24 Oct 2014 00:16:07 GMT

Vary: Accept-Encoding

ETag: W/"54499a47-1762a"

Expires: Thu, 31 Dec 2037 23:55:55 GMT

Cache-Control: max-age=315360000

Cache-Control: public

Access-Control-Allow-Origin: *

Server: NetDNA-cache/2.2

X-Cache: HIT

Content-Encoding: gzip

97a5..............iw#....}......F.M.$.m..XR.e..du..7.ya(.$............*..%{.s...j j..12..|.d.../.................g...d.=.8..bq;.....<..j>8.....<Z,.Og.A1_.{O.....v>P.z/.7.j..E1X..|...X......Yqp.......b.^.].p.......U1_......h..5....~Y...,.o........bY..Q......X....N.C....'...k..e..]..h.q.....c/F.y1...q.......LWY.!..Mo.7.;.l...V....j...z.l....j.... ...F.$......h.x.^N.....Io.......u.\...Uh..............u4.S.tmkq....?w.W.._.....w..w............V.O....a.s>....m<.O......._.......7.O.r~ut.\..Z...AKk.1....v.^,[W.....\.j.......q.^|.\... .......z.Y].......,.......~.k....*..5.s....buz.V.2...uopY.R..g$W.r\X.Z.0.z#....p.7......}.]...v.n..}V............YK.v.}v..N...6...:].].."<..A,.s3.#U..^....Xr...Q..z...h9.M.R...r.,@....~L.Y.W...P..){.*.)OV,...^.......|o.sp..........t..n..U..aY.....m6V]...#>...F....b#......ug.,.xjM;..;._.epCb1..aVd#6}/Ld......'..[?>.....?9......Y....t|pP.....&..f..=......h.." .qc...A'.Z..)....N............nG.....I..P..{..^.......J......@.;8..Z.~.........v.te....F...?..n..../{.vO ......-......}..I.....t.w.{cEx.P..\...t..EhyRQk.g.oz...R...........E....`.Z..MW?......qV...p..o.!.I6_,.......Q..a.Z.!V.....,..C..7..f.JS...ZO....?...................m...v|......^.........i.)......{...*l..|..G...70./..d.w|m......b...lzG...x..9.w#.ceK..{.. ......_8...j..Z#y.~P..........V.t....G...rO..G....A...*.....o.....A7...l......2S..huY.v.Y....E...$..*.L.=.L.\4@/.........f.~o..MoV6.E.k...\..L..\. ......:.U...o.|.<..}6.].3q.e....zq;....J......m.a.-5$.'d.......#....z.6.1......[$VP.b........K.........;...

<<< skipped >>>

GET /gg/pf/iwin/6899811668702051793/acd_-1m_pogoiwin_gas/iwin/IGTSlotsKittyGlitterSetup.exe HTTP/1.1

User-Agent: NextDM/2.2.3.385 AppleWebKit/535.19 (KHTML, like Gecko) GamesManager/2.2.3.385

Host: download.iwincdn.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Accept-Ranges: bytes

Cache-Control: max-age=2592000

Content-Type: application/x-msdos-program

Date: Wed, 02 Dec 2015 00:40:47 GMT

Etag: "801861bb7cf526b51dd690cd1857abcc-25"

Expires: Thu, 10 Dec 2015 19:43:50 GMT

Last-Modified: Sun, 13 Apr 2014 03:55:23 GMT

Server: ECAcc (ams/48C2)

Via: 1.0 download.iwin.com

x-amz-id-2: lwdgVg9IO4dfLQ4xkKHIAx0scC jE1m6tOm9nfb0PXCGOB/miSh0AXaDs5uviWVtyAAwOrgIxYw=

x-amz-request-id: DBBBDEFBCCCBDA49

X-Cache: HIT

Content-Length: 178394424

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1p.:u..iu..iu..i...iw..iu..i...i...id..i!2.i...i...it..iRichu..i........PE..L....f.R.................\...........0.......p....@..........................p......:........................................s...........m..............x............................................................p...............................text...jZ.......\.................. ..`.rdata.......p.......`..............@..@.data................r..............@....ndata.......@...........................rsrc....m.......n...v..............@..@........................................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H.....6B..H.P.u..u..u....r@..B...SV.5.6B..E.WP.u....r@..e...E..E.P.u....r@..}..e....Lp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Tp@..E...E.P.E.P.u....r@..u....E..9}...w....~X.te.v4..Dp@....E.tU.}.j.W.E......E.......@p@..vXW..Hp@..u..5<p@.W...E..E.h ...Pj.h..B.W...r@..u.W...u....E.P.u...\r@._^3.[.....L$...6B...Si.....VW.T.....tO.q.3.;5.6B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5.6B.r._^[...U..QQ.U.SV..i.

<<< skipped >>>

GET /catalog/html/firstinstall/scripts/firstinstall.js HTTP/1.1

Host: gm-iplay.iwin.com

Connection: keep-alive

User-Agent: NextDM/2.2.3.385 AppleWebKit/535.19 (KHTML, like Gecko) GamesManager/2.2.3.385

Accept: */*

Referer: hXXp://gm-iplay.iwin.com/catalog/html/firstinstall/firstinstall-iplay.html

Accept-Encoding: gzip,deflate

Accept-Language: en-us,en

Accept-Charset: iso-8859-1,*,utf-8

HTTP/1.1 200 OK

Accept-Ranges: bytes

Age: 0

Content-Type: text/javascript

Date: Wed, 02 Dec 2015 00:40:44 GMT

ETag: W/"5312-1448528502000"

Last-Modified: Thu, 26 Nov 2015 09:01:42 GMT

Server: nginx/1.1.19

Via: 1.1 varnish

X-Varnish: 2144618860

Content-Length: 5312

Connection: keep-alive

/**. * @fileOverview Provides functionality for email submission on the landing page of game manager first installs.. * . * @author Kyle Brown (kbrown@iwin.com). * @author Jason Laumeister (jlaumeister@iwin.com). * @reader Carlos Ambrozak (cambrozak@iwin.com). * @review PASS. *. * @jslint 03/14/2012. */../*global window, document, console, $J */../**. * @namespace iwin. */.var iwin = window.iwin || {};../**. * @namespace iwin.firstInstall. */.iwin.firstInstall = iwin.firstInstall || {};../**. * @namespace iwin.messages. */.iwin.firstInstall.messages = {. EMAIL_IS_EMPTY: 'Email field is empty',. EMAIL_IS_NOT_VALID: 'Email is not in a valid format',. FIRST_NAME_IS_EMPTY: 'First name field is empty',. SUCCESS: 'Thank You!Thank you for signing up for our email newsletter! You will start to receive our emails within 1-2 weeks notifying you of new game releases and game discounts.Enjoy!'.};../**. * @function. */.iwin.firstInstall.validate = function () {. var elements = iwin.firstInstall.elements, valid = true;.. if (elements.errorContent) {. elements.errorContent.html('');. }.. if (elements.firstName.val().length < 1) {. iwin.firstInstall.showError('FIRST_NAME_IS_EMPTY');. valid = false;. }.. if (elements.email.val().length > 0) {. if (!iwin.Util.isEmailValid(elements.email.val())) {. iwin.firstInstall.showError('EMAIL_IS_NOT_VALID');. valid = fal

<<< skipped >>>

GET /games/6898022281323102055.xml HTTP/1.1

Host: gm-iplay.iwin.com

Connection: keep-alive

User-Agent: NextDM/2.2.3.385 AppleWebKit/535.19 (KHTML, like Gecko) GamesManager/2.2.3.385

Accept: */*

Referer: hXXp://gm/iwin/index.html

Accept-Encoding: gzip,deflate

Accept-Language: en-us,en

Accept-Charset: iso-8859-1,*,utf-8

HTTP/1.1 200 OK

Accept-Ranges: bytes

Age: 0

Cache-Control: max-age=7200

Content-Type: application/xml;charset=utf-8

Date: Wed, 02 Dec 2015 00:40:44 GMT

P3P: CP="NOI CURo ADMo DEVo TAIo OUR NOR IND COM NAV"

Server: nginx/1.1.19

Vary: iWin-App, Accept

Via: 1.1 varnish

X-Varnish: 1925486456

Content-Length: 7257

Connection: keep-alive

<?xml version="1.0" encoding="utf-8"?><game xmlns="hXXp://www.iwin.com/schemas/catalog" xmlns:xlink="hXXp://VVV.w3.org/1999/xlink" xmlns:xsi="hXXp://VVV.w3.org/2001/XMLSchema-instance" id="igt-slots-kitty-glitter" parent-game-id="6899811668702051793" universal-product-id="igt-slots-kitty-glitter" self="hXXp://gm-iplay.iwin.com/games/igt-slots-kitty-glitter" canonical-url="hXXp://gm-iplay.iwin.com/games/igt-slots-kitty-glitter" coming-soon="false"><sku-id>6898022281323102055</sku-id><title>IGT Slots Kitty Glitter</title><ultra-short-description>Play Real Las Vegas Slots!</ultra-short-description><short-description>Play FREE, no time limit, EVER! IGT Slots Kitty Glitter is the latest premium slot experience available for your PC system. Featuring authentic casino slot machines from IGT - The World's Leading Slot Machine Manufacturer! Bring casino games into your home! Play Kitty Glitter Slots and see why this Cat is Queen! Plus, three more exciting themes! Amazing graphics and video bonus rounds make these exciting games addicting. Simulate the feeling of being in a real casino with true-to-life slots.</short-description><long-description>IGT Slots Kitty Glitter is the latest premium slot experience available for your PC system. Featuring authentic casino slot machines from IGT - The World's Leading Slot Machine Manufacturer!<

<<< skipped >>>

GET /catalog/html/firstinstall/images/iplay-icon.png HTTP/1.1

Host: gm-iplay.iwin.com

Connection: keep-alive

User-Agent: NextDM/2.2.3.385 AppleWebKit/535.19 (KHTML, like Gecko) GamesManager/2.2.3.385

Accept: */*

Referer: hXXp://gm-iplay.iwin.com/catalog/html/firstinstall/firstinstall-iplay.html

Accept-Encoding: gzip,deflate

Accept-Language: en-us,en

Accept-Charset: iso-8859-1,*,utf-8

HTTP/1.1 200 OK

Accept-Ranges: bytes

Age: 0

Content-Type: image/png

Date: Wed, 02 Dec 2015 00:40:44 GMT

ETag: W/"7012-1448528502000"

Last-Modified: Thu, 26 Nov 2015 09:01:42 GMT

Server: nginx/1.1.19

Via: 1.1 varnish

X-Varnish: 2144618863

Content-Length: 7012

Connection: keep-alive

.PNG........IHDR...8...8.......;.....tEXtSoftware.Adobe ImageReadyq.e<..."iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:314163C8BBA511E48E69D9A29A84EF86" xmpMM:DocumentID="xmp.did:314163C9BBA511E48E69D9A29A84EF86"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:314163C6BBA511E48E69D9A29A84EF86" stRef:documentID="xmp.did:314163C7BBA511E48E69D9A29A84EF86"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>[L~.....IDATx..Z.x...~..=....YH..EbP....*.Z...j..Z\Z......VQ.V...Z.>.u.Z.....B.}.......d......IH ,..s.yN&.2...[....9...l.^>.. .....!. W...@....th@..h0...f.7............F........c.`.......ee.......#...z...C.........."..&Nf5....f......y}k.F...@`.gs5.......1c.=~.....-..q....C}Y.jW~../.......o'../.L.M.h...h0...fw..s........i.0`.t........:.......`[......@J~.,.}.<..Z......{.B.y.5.l.*.....:..i.........>./(......C....[n.z^......'.W.D.'...R..b....9[...2...PR.<.9.^...gv......u.|T._....D.}...F...1..............G.Q..s...gq..o]..!^.. .....&34#i..G#:.0!.....&.L*...k....o.3.....`.6.{/......y.

<<< skipped >>>

GET /scripts/common/utils-ours/iwinutils.js HTTP/1.1

Host: gm-iplay.iwin.com

Connection: keep-alive

User-Agent: NextDM/2.2.3.385 AppleWebKit/535.19 (KHTML, like Gecko) GamesManager/2.2.3.385

Accept: */*

Referer: hXXp://gm-iplay.iwin.com/catalog/html/firstinstall/firstinstall-iplay.html

Accept-Encoding: gzip,deflate

Accept-Language: en-us,en

Accept-Charset: iso-8859-1,*,utf-8

HTTP/1.1 200 OK

Accept-Ranges: bytes

Age: 533

Cache-Control: max-age=3600

Content-Type: text/javascript

Date: Wed, 02 Dec 2015 00:40:44 GMT

ETag: W/"12834-1448453100000"

Expires: Wed, 02 Dec 2015 01:31:51 GMT

Last-Modified: Wed, 25 Nov 2015 12:05:00 GMT

Server: nginx/1.1.19

Via: 1.1 varnish

X-Varnish: 2144618859 2144616105

Content-Length: 12834

Connection: keep-alive

function i$(a){if($J(a).length)return $J(a);console.debug("There is no such element with id = '%s'",a);var b={style:{},src:{},href:{},absolutize:function(){},addClassName:function(){},addMethods:function(){},adjacent:function(){},ancestors:function(){},childElements:function(){},classNames:function(){},cleanWhitespace:function(){},clonePosition:function(){},cumulativeOffset:function(){},cumulativeScrollOffset:function(){},descendantOf:function(){},descendants:function(){},down:function(){},empty:function(){},extend:function(){},fire:function(){},firstDescendant:function(){},getDimensions:function(){},getElementsByClassName:function(){},getElementsBySelector:function(){},getHeight:function(){},getOffsetParent:function(){},getStyle:function(){},getWidth:function(){},hasClassName:function(){},hide:function(){},identify:function(){},immediateDescendants:function(){},insert:function(){},inspect:function(){},makeClipping:function(){},makePositioned:function(){},match:function(){},next:function(){},nextSiblings:function(){},observe:function(){},positionedOffset:function(){},previous:function(){},previousSiblings:function(){},readAttribute:function(){},recursivelyCollect:function(){},relativize:function(){},remove:function(){},removeClassName:function(){},replace:function(){},scrollTo:function(){},select:function(){},setOpacity:function(){},setStyle:function(){},show:function(){},siblings:function(){},stopObserving:function(){},toggle:function(){},toggleClassName:function(){},undoClipping:function(){},undoPositioned:fu

<<< skipped >>>

GET /catalog/html/firstinstall/images/stop.jpg HTTP/1.1

Host: gm-iplay.iwin.com

Connection: keep-alive

User-Agent: NextDM/2.2.3.385 AppleWebKit/535.19 (KHTML, like Gecko) GamesManager/2.2.3.385

Accept: */*

Referer: hXXp://gm-iplay.iwin.com/catalog/html/firstinstall/firstinstall-iplay.html

Accept-Encoding: gzip,deflate

Accept-Language: en-us,en

Accept-Charset: iso-8859-1,*,utf-8

HTTP/1.1 200 OK

Accept-Ranges: bytes

Age: 0

Content-Type: image/jpeg

Date: Wed, 02 Dec 2015 00:40:44 GMT

ETag: W/"1393-1448528502000"

Last-Modified: Thu, 26 Nov 2015 09:01:42 GMT

Server: nginx/1.1.19

Via: 1.1 varnish

X-Varnish: 1925486457

Content-Length: 1393

Connection: keep-alive

......Exif..II*.................Ducky.......<..... hXXp://ns.adobe.com/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c061 64.140949, 2010/12/07-10:57:01 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS5.1 Windows" xmpMM:InstanceID="xmp.iid:086B8794F8AA11E1B6ED91D1947D4E3A" xmpMM:DocumentID="xmp.did:086B8795F8AA11E1B6ED91D1947D4E3A"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:086B8792F8AA11E1B6ED91D1947D4E3A" stRef:documentID="xmp.did:086B8793F8AA11E1B6ED91D1947D4E3A"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>....Adobe.d.........................................................................................................................................................................................................................................!1."2#.ab3.D......................1.!A..#."2.a...Bbrc$..............?.......Tr...R...Z.Sh.S1..r...s.f.f....Y.dA...W.g;.. b(.B.$J.....e..B...cb%..;m.jHC....3 ..C. .t.BV.O....u...?C.w2..n.P.|..sN&.v.~Ii1.. ....pXj..J..Ha ....d.C.-...n).9.}......Y.s.?K..-.>....S{.........v.W..?.D?j....9.......

<<< skipped >>>

GET /catalog/html/firstinstall/images/iplay-submit.png HTTP/1.1

Host: gm-iplay.iwin.com

Connection: keep-alive

User-Agent: NextDM/2.2.3.385 AppleWebKit/535.19 (KHTML, like Gecko) GamesManager/2.2.3.385

Accept: */*

Referer: hXXp://gm-iplay.iwin.com/catalog/html/firstinstall/firstinstall-iplay.html

Accept-Encoding: gzip,deflate

Accept-Language: en-us,en

Accept-Charset: iso-8859-1,*,utf-8

HTTP/1.1 200 OK

Accept-Ranges: bytes

Age: 0

Content-Type: image/png

Date: Wed, 02 Dec 2015 00:40:44 GMT

ETag: W/"2108-1448528502000"

Last-Modified: Thu, 26 Nov 2015 09:01:42 GMT

Server: nginx/1.1.19

Via: 1.1 varnish

X-Varnish: 2144618865

Content-Length: 2108

Connection: keep-alive

.PNG........IHDR.......(.......T.....tEXtSoftware.Adobe ImageReadyq.e<..."iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:0BF80373BBA511E4ABC9C1AC95444688" xmpMM:DocumentID="xmp.did:0BF80374BBA511E4ABC9C1AC95444688"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:0BF80371BBA511E4ABC9C1AC95444688" stRef:documentID="xmp.did:0BF80372BBA511E4ABC9C1AC95444688"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>..OB....IDATx....H.G..?m....6.GDe?H2V...".FI.....i..Z.2Z.H.5j.Fl ."(6.......f......L..ObI.I..F..{_.u.>.<i.'...><......s_.}...=..9...0A....B..&.).)k........V.F...#B..ne[..0.P....BHT.Q.]Y........,..B.Q.a..JQ .8dB.b.........!}.0.B(.....!..@..0.B(....a$... ;5O.=Ir...T...C..!.)..K.N]"q.x.....T...`........Y.._&&e..;.....!m.../dv..:...<>P...,..y.....H ..{ ........|..'1h].......C.c.&>l........(...$[ .I.?5:......W&..............M.KCG..(..<...2l..........#.>.K}=:a.......#.....23%G./...]z...P.$O..c..........:MY....F......P.....F..C...?.g.x.|"..1.....)...EN....<.E,..B.s~M...

<<< skipped >>>

GET /services/dlog?act=start&gid=6899811668702051793&sid=6898022281323102055&hid=75ed9567-aa58-4c8e-a8ea-3cad7c47ab03&lid=42&aid=42&pid=0&allaccess=0&ft=0 HTTP/1.1

Host: ws-iplay.iwin.com

Connection: keep-alive

User-Agent: NextDM/2.2.3.385 AppleWebKit/535.19 (KHTML, like Gecko) GamesManager/2.2.3.385

Accept: */*

Referer: hXXp://gm/iwin/index.html

Accept-Encoding: gzip,deflate

Accept-Language: en-us,en

Accept-Charset: iso-8859-1,*,utf-8

HTTP/1.1 200 OK

Accept-Ranges: bytes

Age: 0

Date: Wed, 02 Dec 2015 00:40:45 GMT

Server: nginx/1.1.19

Via: 1.1 varnish

X-Varnish: 2009849571

Content-Length: 2

Connection: keep-alive

OKHTTP/1.1 200 OK..Accept-Ranges: bytes..Age: 0..Date: Wed, 02 Dec 2015 00:40:45 GMT..Server: nginx/1.1.19..Via: 1.1 varnish..X-Varnish: 2009849571..Content-Length: 2..Connection: keep-alive..OK..

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

GamesManager.exe_1336:

.text

`.rdata

@.data

.rsrc

@.reloc

uÂ u

FTPSQR

8sqliu

,4,56,789

xSSSh

FTPjKS

FtPj;S

C.PjRV

USER32.dll

Line %d, Column %d

GetProcessWindowStation

operator

portuguese-brazilian

Visual C CRT: Not enough memory to complete call to strerror.

Broken pipe

Inappropriate I/O control operation

Operation not permitted

large file support is disabled

unknown operation

SQL logic error or missing database

foreign_keys

sqlite_compileoption_get

sqlite_compileoption_used

sqlite_log

sqlite_source_id

sqlite_version

sqlite_attach

sqlite_detach

sqlite_stat1

sqlite_rename_parent

sqlite_rename_trigger

sqlite_rename_table

GetProcessHeap

RowKey

3.7.14

SQLite format 3

CREATE TABLE sqlite_master(

sql text

CREATE TEMP TABLE sqlite_temp_master(

REINDEXEDESCAPEACHECKEYBEFOREIGNOREGEXPLAINSTEADDATABASELECTABLEFTHENDEFERRABLELSEXCEPTRANSACTIONATURALTERAISEXCLUSIVEXISTSAVEPOINTERSECTRIGGEREFERENCESCONSTRAINTOFFSETEMPORARYUNIQUERYATTACHAVINGROUPDATEBEGINNERELEASEBETWEENOTNULLIKECASCADELETECASECOLLATECREATECURRENT_DATEDETACHIMMEDIATEJOINSERTMATCHPLANALYZEPRAGMABORTVALUESVIRTUALIMITWHENWHERENAMEAFTEREPLACEANDEFAULTAUTOINCREMENTCASTCOLUMNCOMMITCONFLICTCROSSCURRENT_TIMESTAMPRIMARYDEFERREDISTINCTDROPFAILFROMFULLGLOBYIFISNULLORDERESTRICTOUTERIGHTROLLBACKROWUNIONUSINGVACUUMVIEWINITIALLY

SQLITE_

d-d-d d:d:d

d:d:d

d-d-d

failed to allocate %u bytes of memory

failed memory resize %u to %u bytes

922337203685477580

API call with %s database connection pointer

OsError 0x%x (%u)

os_win.c:%d: (%d) %s(%s) - %s

delayed %dms for lock/sharing conflict

%s-shm

%s\etilqs_

%s\%s

Recovered %d frames from WAL file %s

cannot limit WAL size: %s

invalid page number %d

2nd reference to page %d

Failed to read ptrmap key=%d

Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)

%d of %d pages missing from overflow list starting at %d

failed to get page %d

freelist leaf count too big on page %d

Page %d:

unable to get the page. error code=%d

btreeInitPage() returns error code %d

On tree page %d cell %d:

On page %d at right child:

Corruption detected in cell %d on page %d

Multiple uses for byte %d of page %d

Fragmentation of %d bytes reported as %d on page %d

Page %d is never used

Pointer map page %d is referenced

Outstanding page count goes from %d to %d during this analysis

unknown database %s

keyinfo(%d

%s(%d)

%s-mjXXXXXX9XXz

MJ delete: %s

MJ collide: %s

-mjX9X

foreign key constraint failed

unable to use function %s in the requested context

bind on a busy prepared statement: [%s]

zeroblob(%d)

abort at %d in [%s]: %s

constraint failed at %d in [%s]

cannot open savepoint - SQL statements in progress

no such savepoint: %s

cannot release savepoint - SQL statements in progress

cannot commit transaction - SQL statements in progress

sqlite_temp_master

sqlite_master

SELECT name, rootpage, sql FROM '%q'.%s WHERE %s ORDER BY rowid

cannot change %s wal mode from within a transaction

database table is locked: %s

statement aborts at %d: [%s] %s

cannot open value of type %s

cannot open virtual table: %s

cannot open view: %s

no such column: "%s"

foreign key

indexed

cannot open %s column for writing

misuse of aliased aggregate %s

%s: %s.%s.%s

%s: %s.%s

%s: %s

not authorized to use function: %s

%r %s BY term out of range - should be between 1 and %d

too many terms in %s BY clause

Expression tree is too large (maximum depth %d)

variable number must be between ?1 and ?%d

too many SQL variables

too many columns in %s

EXECUTE %s%s SUBQUERY %d

misuse of aggregate: %s()

%.*s"%w"%s

%s%.*s"%w"

%s OR name=%Q

type='trigger' AND (%s)

sqlite_

table %s may not be altered

there is already another table or index with this name: %s

view %s may not be altered

UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;

UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d 18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');

sqlite_sequence

UPDATE "%w".sqlite_sequence set name = %Q WHERE name = %Q

UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;

Cannot add a PRIMARY KEY column

UPDATE "%w".%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d) WHERE type = 'table' AND name = %Q

sqlite_altertab_%s

CREATE TABLE %Q.%s(%s)

DELETE FROM %Q.%s WHERE %s=%Q

SELECT tbl,idx,stat FROM %Q.sqlite_stat1

invalid name: "%s"

too many attached databases - max %d

database %s is already in use

unable to open database: %s

no such database: %s

cannot detach database %s

database %s is locked

%s %T cannot reference objects in database %s

access to %s.%s.%s is prohibited

access to %s.%s is prohibited

object name reserved for internal use: %s

there is already an index named %s

too many columns on %s

duplicate column name: %s

default value of column [%s] is not constant

table "%s" has more than one primary key

AUTOINCREMENT is only allowed on an INTEGER PRIMARY KEY

no such collation sequence: %s

CREATE %s %.*s

UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d

CREATE TABLE %Q.sqlite_sequence(name,seq)

view %s is circularly defined

UPDATE %Q.%s SET rootpage=%d WHERE #%d AND rootpage=#%d

sqlite_stat%d

DELETE FROM %Q.sqlite_sequence WHERE name=%Q

DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'

sqlite_stat

table %s may not be dropped

use DROP TABLE to delete table %s

use DROP VIEW to delete view %s

foreign key on %s should reference only one column of table %T

number of columns in foreign key does not match the number of columns in the referenced table

unknown column "%s" in foreign key definition

indexed columns are not unique

table %s may not be indexed

views may not be indexed

virtual tables may not be indexed

there is already a table named %s

index %s already exists

sqlite_autoindex_%s_%d

table %s has no column named %s

CREATE%s INDEX %.*s

INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);

no such index: %S

index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped

DELETE FROM %Q.%s WHERE name=%Q AND type='index'

a JOIN clause is required before %s

unable to identify the object to be reindexed

table %s may not be modified

cannot modify %s because it is a view

foreign key mismatch

table %S has %d columns but %d values were supplied

%d values for %d columns

table %S has no column named %s

%s.%s may not be NULL

constraint %s failed

PRIMARY KEY must be unique

sqlite3_extension_init

unable to open shared library [%s]

no entry point [%s] in shared library [%s]

error during initialization: %s

automatic extension loading failed: %s

foreign_key_list

*** in database %s ***

unsupported encoding: %s

malformed database schema (%s)

%s - %s

unsupported file format

SELECT name, rootpage, sql FROM '%q'.%s ORDER BY rowid

database schema is locked: %s

unknown or unsupported join type: %T %T%s%T

RIGHT and FULL OUTER JOINs are not currently supported

a NATURAL join may not have an ON or USING clause

cannot have both ON and USING clauses in the same join

cannot join using column %s - column not present in both tables

USE TEMP B-TREE FOR %s

COMPOUND SUBQUERIES %d AND %d %s(%s)

%s.%s

%s:%d

ORDER BY clause should come after %s not before

LIMIT clause should come after %s not before

SELECTs to the left and right of %s do not have the same number of result columns

no such index: %s

sqlite_subquery_%p_

no such table: %s

SCAN TABLE %s %s%s(~%d rows)

sqlite3_get_table() called with two or more incompatible queries

cannot create %s trigger on view: %S

cannot create INSTEAD OF trigger on table: %S

INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')

no such trigger: %S

-- TRIGGER %s

no such column: %s

cannot VACUUM - SQL statements in progress

PRAGMA vacuum_db.synchronous=OFF

SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0

SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'

SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'

SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0

SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';

INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)

UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d

vtable constructor failed: %s

vtable constructor did not declare schema: %s

no such module: %s

table %s: xBestIndex returned an invalid plan

%s SUBQUERY %d

%s TABLE %s

%s AS %s

%s USING %s%sINDEX%s%s%s

%s USING INTEGER PRIMARY KEY

%s (rowid=?)

%s (rowid>? AND rowid)

%s (rowid>?)

%s (rowid)

%s VIRTUAL TABLE INDEX %d:%s

%s (~%lld rows)

at most %d tables in a join

cannot use index: %s

the INDEXED BY clause is not allowed on UPDATE or DELETE statements within triggers

the NOT INDEXED clause is not allowed on UPDATE or DELETE statements within triggers

unknown database: %s

no such %s mode: %s

%s mode not allowed: %s

no such vfs: %s

database corruption at line %d of [%.10s]

misuse at line %d of [%.10s]

cannot open file at line %d of [%.10s]

1.2.8

gm.log

Mozilla/5.0 (Windows NT) AppleWebKit/${webkitversion} (KHTML, like Gecko) Version/${GMVersion} GamesManager/${GMVersion}

NextDM/${GMVersion} AppleWebKit/${webkitversion} (KHTML, like Gecko) GamesManager/${GMVersion}

${webkitversion}

HKEY_CURRENT_USER\Software\Oberon Media

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall

icon.ico

OmnitureReporter.exe

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION

body { -webkit-user-select: none; }

webdata\

cdata.dat

asset://gm/iwin.html

hXXp://client.iplay.com/

hXXps://client.iplay.com/

DefaultCertificateId

downloadURLType

StartMenuIconURL

hXXp://gm/

hXXps://gm/

languagestrings.ini

hXXp://

hXXps://

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

hXXps://p.iwin.com/gm/autoupdate/version.json

GM_GameCertificateFail

hXXp://dl.iwin.com/

hXXps://dl.iwin.com/

hXXp://s-dl.iwin.com/

hXXps://s-dl.iwin.com/

hXXp://d1.iwin.com/

hXXps://d1.iwin.com/

hXXp://s-d1.iwin.com/

hXXps://s-d1.iwin.com/

hXXp://VVV.iwin.com/

hXXps://VVV.iwin.com/

hXXp://gm.iwin.com/

hXXps://gm.iwin.com/

GameExe

\glcfg.date

gameExe

stdat.dat

GLWorker.exe

activate2_%s_%s

activate_%s_%s

ALTUSERNAME;DAYSLEFT;TIMELEFTTOTAL;gid%s

gamepage/buynow.html

110266250

110267383

110402287

gas.dll

GamesManagerInstaller.exe

gmv.tmp

URL Request: %s

Error missing mimetype for: %s

Began Loading: %s

Finished Loading: %s

Document Ready Message for: %s

[WebConsole - %s:%d] %s

x.sdfgywvnpq9t81u-nc8qcm=-wetu9q-3v5ry80

-exeu=

-exed=

[ERROR] - %s - Code:%d (OptSku:%s)

[ERROR] - %s - Code:%d

Version string in JSON is invalid found %s

OZip: Writing file %s

OZip: Unable to open writeable stream for file %s

Unable to open zip archive: %s

/index.html

CertificateRevokeCompleted

CertificateRevokeFailed

CertificateRevokeStarted

CertificateGrantComplete

CertificateGrantFailed

CertificateGrantStarted

homepage.html

sign-in.html

errorpage.html

index.html

GMS: getData uri:%s

GMS: getData found resource:%s

GMS: getData loadResource:%s

GMS: getData parse game data:%s

GMS: getData read channel zip:%s

GMS: readFileFromChannelZip file: %s

GMS: readFileFromChannelZip mime: %s

GMS: readFileFromChannelZip OZip::open %s

GMS: handleRequest id:%d path:%s

\iwininstaller.exe

-gmexe="

-gmregkey="

-preinstallurl="%s"

-gamestring=%s

-config.installRoot="

[EVENT] Sending '%s' Event '%d' Message '%s'

[EVENT] Sending '%s' Event '%d'

[EVENT] Game State: %s

[EVENT] Sending '%s' Event '%d' Complete

Game Download Completed, but queueing install for '%s' as another game is installing

_update.zip

and Unable to remove registry keys

Unable to remove registry keys

Game %s has no location of DRM file(s) - unable to revoke a certificate in this case

Installing Certificate %s to Game %s

Game %s has no location of DRM file(s) - unable to install a certificate in this case

Game Doesn't Have an uninstall exe specified

finalizeInstallProcess: iWin Sourced Executable, NEEDSINSTALLREGCOPY: %d

finalizeInstallProcess: KEY_REGCOPYSRC: %s

finalizeInstallProcess: REGMACHINEINSTALLLOCATION: %s

finalizeInstallProcess: attempting to find game in registry by sku: %s

finalizeInstallProcess: Failed to find game by sku. Try by name: %s

finalizeInstallProcess: folderName: %s

finalizeInstallProcess: Copy Root destKey: %s folderName: %s

%s\%s\%s

finalizeInstallProcess: Copy registry key 'GameExe' value dest: %s src: %s

finalizeInstallProcess: 'GameExe' value to set: %s

finalizeInstallProcess: Copy registry key 'InstallDir' dest: %s src: %s

finalizeInstallProcess: 'InstallDir' setValue: %s

finalizeInstallProcess: Copy registry key 'GameName' to dest: %s

finalizeInstallProcess: 'GameName' setValue: %s

gameAID|%s|gameLID|%s

finalizeInstallProcess: Writing stampdata file %s

finalizeInstallProcess: Unable to write stampdata file for %s

finalizeInstallProcess: Deleting registry key: %s

finalizeInstallProcess: regRoot: %s

finalizeInstallProcess: regRoot query mSKU: %s

GameId setValue key: %s value: %s

finalizeInstallProcess: regRoot key does not exist

\iWinUninstallWrapper.exe -sku=

Error creating registry keys for iwin drm game

Error opening registry keys to finalize install of iwin drm game

Failed to update DRM for thread for DRM Update for game %s [Thread Autoclosed]

Failed to launch thread for DRM Update for game %s

Game: updateDrmStats name:%s

Game: updateDrmStats command:%s

Game: open Drm file: %s

Game %s [Key: %s] has %d seconds remaining

Game: updateDrmStats ODrm::load fail name:%s

[IWIN-Game-Config (%s)] %s

GM_initialise: Initialise JS Reporting

GM Location: %s

GM Version: %s

asset://gm/index.html

reg path: %s

subKeys found: %d

skuValue : %s

skuValue (Read from root): %s

skuValue not found in 'GameID' key or Registry Root

appName : %s

gameExe : %s

gameExe not found

installDir : %s

Game %s(%s): cannot find game folder at location '%s' therefore skipping game

GM_scanForInstalledGames: registry sku[%s] channel[%s]

GM_scanForInstalledGames: EXE launch[%s] drm[%s]

GM_scanForInstalledGames: getExeFilename

GM_scanForInstalledGames: appName[%s]

Game Download Found: [%s] %s

iwin://ACDCMD=

if(!window.GamesManager) {

window.GamesManager = {

GamesManager.mEventCallbackObject[GamesManager.mEventCallbackMethod](event, object );

for(var i = 0 ; i

if(GamesManager.mGames[i].sku === sku) {

ret = GamesManager.mGames[i];

for(var i = 0 ; i

GamesManager.mGames.splice(idx,1);

if(!GamesManager.findGame(sku)) {

drmType: GamesManager.DRMTYPE_TRIAL,

GamesManager.mGames.push(g);

g.state = GamesManager.GAMESTATE_DOWNLOADING;

GamesManager.sendGameEvent(GamesManager.EVENT_GAMEDOWNLOADSTART,g);

var dloadMax = Math.floor(Math.random() * 20) 10;

var dloadSize = Math.floor((Math.random() * 1000000000) 10000000);

g.downloadStartedAt = Math.floor(Date.now()/1000);

g.downloadEstimatedComplete = Math.floor(Date.now()/1000) (dloadMax*1000);

g.downloadTotalBytes = dloadSize;

g.downloadCurrentBytes = Math.floor((dloadSize / dloadMax) * dloadCount);

GamesManager.sendGameEvent(GamesManager.EVENT_GAMEDOWNLOADPROGESS,g);

g.state = GamesManager.GAMESTATE_INSTALLING;

GamesManager.sendGameEvent(GamesManager.EVENT_GAMEINSTALLSTARTED,g);

GamesManager.sendGameEvent(GamesManager.EVENT_GAMEINSTALLCOMPLETED,g);

GamesManager.sendGameEvent(GamesManager.EVENT_CERTIFICATEGRANTSTARTED,g);

g.drmRemains = 60*60;

g.drmTrialTotal = g.drmRemains;

g.state = GamesManager.GAMESTATE_READY;

GamesManager.sendGameEvent(GamesManager.EVENT_CERTIFICATEGRANTCOMPLETE,g);

}, 1000);

GamesManager.EVENT_

GamesManager.GAMESTATE_

GamesManager.SYSTEMREQUEST_

// GamesManager Game Flags Passed in the {game}.flag JS as an CSV

GamesManager.GAMEFLAG_%s = '%s';

GamesManager.DRMSOURCE_BLAZE = '%s';

GamesManager.DRMSOURCE_IWIN = '%s';

// GamesManager DRM Certificate Types

GamesManager.DRMTYPE_PURCHASED = '%s';

GamesManager.DRMTYPE_AYCE = '%s';

GamesManager.DRMTYPE_TRIAL = '%s';

GamesManager.DRMTYPE_GAS = '%s';

Sending Event %d: %s

Error Sending Event %d

Sending SystemEvent %d: %s

http_

Local Storage\{channelurl}.localstorage

{channelurl}

110500670

update ItemTable set key='resources-{nchannel}' where key='resources-{ochannel}';

update ItemTable set key='channel-{nchannel}' where key='channel-{ochannel}';

https_

manifest_url

iWin Download Requested: %s

?ACDCMD

iWin Download Requested, doesn't include ACDCMD* option - Skipping download

iWin Link protocol Requested: %s

iWin:// protocol Requested: %s

Read iWinChannel::REGUSERLEGACY_LOGINHID %s

set property UNIQUEMACHINEID %s

HKEY_CURRENT_USER\Software\Oberon Media\Client\Components\Initiator

r.first

r.last

LEGACY_LOGINNAME

LEGACY_LOGINTOKEN

set property LEGACY_LOGINHARDWAREID %s

LEGACY_LOGINHARDWAREID

if(GamesManager.mEventCallbackObject) {

var g = GamesManager.findGame(unitySku);

GamesManager.uninstallGame(unitySku);

GamesManager.downloadGame(unitySku,g.name,"",g.drmType);

}, 4000);

console.log('GM.registerCallback not called');

sidrUrl

g.state = GamesManager.GAMESTATE_UNINSTALLING;

GamesManager.sendGameEvent(GamesManager.EVENT_GAMEUNINSTALLSTARTED, g);

GamesManager.removeGame(unitySku);

g.state = GamesManager.GAMESTATE_REMOVED;

GamesManager.sendGameEvent(GamesManager.EVENT_GAMEUNINSTALLCOMPLETED, g);

}, 2000);

GamesManager.sendGameEvent(GamesManager.EVENT_CERTIFICATEREVOKESTARTED, g);

if(g.drmType) {

GamesManager.sendGameEvent(GamesManager.EVENT_CERTIFICATEREVOKECOMPLETED, g);

g.drmType = null;

GamesManager.sendGameEvent(GamesManager.EVENT_CERTIFICATEREVOKEFAILED, g);

Revokes the current certificate

revokeCertificate

GamesManager.sendGameEvent(GamesManager.EVENT_CERTIFICATEGRANTSTARTED, g);

if(certificateName.indexOf('CERT_M') === 0) {

g.drmType = GamesManager.DRMTYPE_TRIAL;

g.drmRemains = (parseInt(certificateName.substring('CERT_M'.length)) * 1000);

GamesManager.sendGameEvent(GamesManager.EVENT_CERTIFICATEGRANTCOMPLETE, g);

} else if(certificateName.indexOf('@') > 0) {

g.drmType = GamesManager.DRMTYPE_AYCE;

g.drmRemains = 0;

GamesManager.sendGameEvent(GamesManager.EVENT_CERTIFICATEGRANTFAILED, g);

GamesManager.sendGameEvent(GamesManager.EVENT_CERTIFICATEGRANTFAILED);

Installs a certificate synchronously

installCertificateSynchronous

g.drmType = GamesManager.DRMTYPE_PURCHASED;

optionalCertificateKey

certificateName

Installs a certificate

installCertificate

GamesManager.sendGameEvent(GamesManager.EVENT_GAMELAUNCHSTARTED, g);

GamesManager.sendGameEvent(GamesManager.EVENT_GAMELAUNCHCOMPLETE, g);

GamesManager.sendGameEvent(GamesManager.EVENT_GAMEOVER, g);

}, 5000);

GamesManager.sendGameEvent(GamesManager.EVENT_GAMELAUNCHFAILED);

if(GamesManager.findGame(unitySku)) {

console.log("Removed download data");

console.log("Game Not Found");

console.log("Not able to resume");

console.log("Not able to pause");

GamesManager.addGame(unitySku,name,drmType);

console.log('GM.registerCallback has not called');

console.log('Not implemented in debug');

console.log('Not Implemented');

this.mEventCallbackObject = object;

this.mEventCallbackMethod = methodname;

this.mGames = DEFAULT_GAMES;

this.mSystem = DEFAULT_SYSTEM;

GamesManager.sendGameEvent(GamesManager.EVENT_GAMESMANAGERCONFIGREADY, GamesManager.mSystem );

GamesManager.sendGameEvent(GamesManager.EVENT_GAMESMANAGERGAMESREADY, GamesManager.mGames );

}, 500);

console.log('Not Currently Implemented');

window.close();

window.open(uri);

Shells out to an exe, help or other protocol specified request

console.log(message);

Attempting to shell out to %s

startDownload(): Not enough parameters passed

METHOD_GETGAMEUSERPROPERTY: 2 sku param = %s

METHOD_GETGAMEUSERPROPERTY: 4 propName = %s

METHOD_GETGAMEUSERPROPERTY: 5 propValue = %s

config.iwinrequest

debug.buildappcache

qa.setversion

qa.updatecheck

config.channelStartMenuUrl

config.channelDesktopUrl

config.channelIcon

config.channellanguage

gui.showsplash

config.nphase.src

config.nphase

config.uri

config.channel

config.sku

debug.logurldata

debug.ignoreredirect

debug.datafolder

debug.scrollbars

debug.testdata

debug.dumpjs

debug.refreshcache

debug.window

debug.file

Unable to find language, defaulting to %s

channel.cfg

RegMachineInstallGMLocationKeyName

RegMachineInstallGMLocationKeyValue

HKEY_CURRENT_USER\Software\iWinArcade\installRoot

InstallerRequiredRegistryKeyLocation

hXXp://gm/iwin/index.html

ChannelLaunchUrl

KeyCopyRegFolder

c:\games\iWin

RegUserLegacyLoginHID

RegUserLegacyLoginToken

RegUserLegacyLoginName

needsRegKeyCopy

supportsBlazeGames

[ERROR] Failed to start GLWorker for iwin DRM - %s

[iWinDRMReports] AltUserName: %s

[iWinDRMReports] DaysLeft: %s

[iWinDRMReports] Timeleft: %s

* Oberon Channel Setting = %s

* iWin Registry Setting = %s

* Default Setting = %s

* CURRENT SETTING = %s

*.dta

JSon Error Parsing: %s

asset://debugger//index.html

Setting Status: %d

Downloading %s to %s

The requested operation cannot be carried out because the handle supplied is not in the correct state

The type of handle supplied is incorrect for this operation

Not enough memory was available to complete the requested operation. (Windows error code)

WinHttpQueryHeaders GetLastError Returned

Error Not Supported

Error Version Not Supported

Download Read Failure error %d

Download Recieve Failure error %d

User-Agent: %s

|GoogleChrome

\Google\Chrome\User Data\Default

last_chrome_version

Firefox

\Mozilla\Firefox\Profiles

prefs.js

HKLM\SOFTWARE\Mozilla\Mozilla Firefox\CurrentVersion

HKLM\SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox\CurrentVersion

browser.startup.homepage

OFIS - Unable to open file %s due to win32 code %X

DoesFolderExist INVALID_FILE_ATTRIBUTES and GetLastError returned %I for %s

%D/%D/%D

%d.d

InstallKey

ExpireCurrentKey

SetDefaultKey

Launching With CreateProcess Executable: %s

Launching Executable: %s

Using Params: %s

Launching Executable (No Control): %s

Launching via rundll32.exe

url.dll,FileProtocolHandler

HKEY_CURRENT_USER

HKEY_USERS

HKEY_LOCAL_MACHINE

HKEY_CLASSES_ROOT

HKEY_CURRENT_CONFIG

%d-%d-%d %d:%d:%d

Read HKLM\Software\Microsoft\Cryptography\MachineGuid %s

PROFILING: Point (%s) tool %d ms

Windows Version: %d.%d [Build:%d]

SP: %s

Suite Mask: %d

CPU Arch: %d - %s

Logical Processors: %d

Processor Mask: %d

Graphic Device: %s - %s - %d

%X - %s

%X - [UNKNOWN]

Process Name: %s

- Context Flags: %X

- Debug Registers: Dr0:%X Dr1:%X Dr2:%X Dr3:%X Dr6:%X Dr7:%X

- FP: ControlWord:%X StatusWord:%X TagWord:%X ErrorOffset:%X ErrorSelector:%X DataOffset:%X DataSelector:%X Cr0npxState:%X

- FPR:%d=%X

FPR:%d=%X

- Segments: Gs:%X Fs:%X Es:%X Ds:%X

- Integers: Edi:%X Esi:%X Ebx:%X Edx:%X Ecx:%X Eax:%X

- Control: Ebp:%X Eip:%X Esp:%X SegSs:%X

- Ext:%d=%X

Ext:%d=%X

Exception Code:%X address:%X flags:%X

- Parameters: %d

- PInfo: %d=%X

Line %d in File: %s Function: %s

- x:%d y%d

xinput9_1_0.dll

libGLESv2.dll

libEGL.dll

icudt.dll

awesomium_process.exe

awesomium.dll

avutil-51.dll

avformat-53.dll

avcodec-53.dll

Checking for file %s : %s

?#%X.y

KERNEL32.dll

GDI32.dll

RegCreateKeyExW

RegQueryInfoKeyW

RegDeleteKeyW

RegOpenKeyExW

RegEnumKeyExW

RegCloseKey

ADVAPI32.dll

SHFileOperationW

ShellExecuteExW

ShellExecuteW

SHELL32.dll

ole32.dll

?spec@WebURL@Awesomium@@QBE?AVWebString@2@XZ

??1WebURL@Awesomium@@QAE@XZ

??0WebConfig@Awesomium@@QAE@XZ

?Create@ResourceResponse@Awesomium@@SAPAV12@IPAEABVWebString@2@@Z

?Assign@WebString@Awesomium@@QAEAAV12@ABV12@@Z

?Assign@WebString@Awesomium@@QAEAAV12@PBG@Z

?data@WebString@Awesomium@@QBEPBGXZ

??1WebString@Awesomium@@QAE@XZ

??0WebString@Awesomium@@QAE@XZ

??0WebString@Awesomium@@QAE@PBG@Z

?Shutdown@WebCore@Awesomium@@SAXXZ

?Initialize@WebCore@Awesomium@@SAPAV12@ABUWebConfig@2@@Z

??1WebConfig@Awesomium@@QAE@XZ

?OnWillDownload@ResourceInterceptor@Awesomium@@UAEXHHABVWebURL@2@@Z

?SetCustomMethod@JSObject@Awesomium@@QAEXABVWebString@2@_N@Z

?Invoke@JSObject@Awesomium@@QAE?AVJSValue@2@ABVWebString@2@ABVJSArray@2@@Z

?SetProperty@JSObject@Awesomium@@QAEXABVWebString@2@ABVJSValue@2@@Z

?ToString@JSValue@Awesomium@@QBE?AVWebString@2@XZ

??0JSValue@Awesomium@@QAE@ABVWebString@1@@Z

?SendResponse@DataSource@Awesomium@@QAEXHIPBEABVWebString@2@@Z

??_7Process@WebViewListener@Awesomium@@6B@

??_7View@WebViewListener@Awesomium@@6B@

??_7Menu@WebViewListener@Awesomium@@6B@

??_7Load@WebViewListener@Awesomium@@6B@

??0WebPreferences@Awesomium@@QAE@XZ

??0WebKeyboardEvent@Awesomium@@QAE@IIJ@Z

??0WebURL@Awesomium@@QAE@ABVWebString@1@@Z

??1WebPreferences@Awesomium@@QAE@XZ

??1Menu@WebViewListener@Awesomium@@MAE@XZ

??1Process@WebViewListener@Awesomium@@MAE@XZ

??1Load@WebViewListener@Awesomium@@MAE@XZ

??1View@WebViewListener@Awesomium@@MAE@XZ

?ToUTF8@WebString@Awesomium@@QBEIPADI@Z

?CreateFromUTF8@WebString@Awesomium@@SA?AV12@PBDI@Z

??AWebMenuItemArray@Awesomium@@QBEABUWebMenuItem@1@I@Z

?size@WebMenuItemArray@Awesomium@@QBEIXZ

??0WebString@Awesomium@@QAE@ABV01@@Z

??1WebMenuItem@Awesomium@@QAE@XZ

??0WebMenuItem@Awesomium@@QAE@ABU01@@Z

WinHttpReceiveResponse

WinHttpSetOption

WinHttpGetIEProxyConfigForCurrentUser

WinHttpSendRequest

WinHttpConnect

WinHttpCloseHandle

WinHttpQueryHeaders

WinHttpSetStatusCallback

WinHttpOpen

WinHttpOpenRequest

WinHttpGetProxyForUrl

WinHttpCrackUrl

WinHttpReadData

WINHTTP.dll

VERSION.dll

PSAPI.DLL

dbghelp.dll

GetCPInfo

zcÃ

.?AVMenu@WebViewListener@Awesomium@@

.?AVProcess@WebViewListener@Awesomium@@

.?AVLoad@WebViewListener@Awesomium@@

.?AVView@WebViewListener@Awesomium@@

.?AVHttpDownload@@

%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\GamesManager.exe

.dJ!E

.I.MZ>

.header {

.footer {

.desc {

if (location.search) {

var parts = location.search.substring(1).split('&');

for (var i = 0; i

var nv = parts[i].split('=');

document.getElementById('error_code').innerHTML = "Error " params.err ;

var appName = params.appname;

if(appName != null && appName.length > 0) {

var el = document.getElementsByName('appname');

for(var i = 0 ; i

el[i].innerHTML = appName;

function gotoUrl() {

if(params.faqurl) {

If all else fails you could attempt to reinstall Games Manager by clicking the following address F.A.Q Note: Link will open in your normal browser

.header {

if (messageData.slice(0, TYPE_EVENT.length) == TYPE_EVENT) {

} else if (messageData.slice(0, TYPE_JS.length) == TYPE_JS) {

function addMessage(msg) {

document.getElementById('debuglog').innerHTML = msg "
";

function addJSResult(msg) {

document.getElementById('execlog').innerHTML = msg "
";

document.getElementById('eventlog').innerHTML = eData.toString() "
";

var elem = document.getElementById(dId);

var elemSym = document.getElementById(dId "_symbol");

if (elem.style.display == 'block') {

elem.style.display = 'none';

elemSym.innerHTML = '[ ]';

elem.style.display = 'block';

elemSym.innerHTML = '[-]';

var jString = document.getElementById('sendjscript').value;

Debugger.sendMessage('EXECUTE_JAVASCRIPT', jString);

8'8.8495:<:>

6064686

11T1k1x1

>&>6>?>]>

77849>9`9

0%1x1

;(

4L4U4a4

2 252[2}2

: :$:(:,:0:4:8:<:>

6$=(=,=0=4=

2 2$2(2|2

3 3$3(3,3

? ?$?(?,?0?4?8?

5 5(545|5

= =,=\=`=|=

3 3$3(3,30343@4

> >@>`>|>

mscoree.dll

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

nKERNEL32.DLL

WUSER32.DLL

888816666554443

6666554443

!6666554443

-config.channelName="

window.close = function(){ AweView.closeWindow();}

-config.channel=

-config.uri=

-add.gamesExplorer=1

-add.gameDesktop=1

-add.gameStartMenu=1

-add.uninstallProgram=1

-add.uninstallStartMenu=1

-config.channelLanguage=

GMLauncher.exe

-config.gmLauncher="

-config.startMenuIconUrl=

-add.channelStartMenu=1

Webkit Internal Error, closing application

OAutoUpdate Failed to get interface to IBackgroundCopyJobHttpOptions

\/:*?"|

CERTKEY_M

CERTID

CERTKEY_

CERT_

rundll32.exe

SupportFlags

\StringFileInfo\xx\%s

The Download Games Manager has encountered an error and needs to close. Please click the 'OK' button below to exit the Games Manager. You may relaunch it from your Start Menu or desktop icon. If this error continues, please click here to submit an error report to our developers.

hXXp://s3.parature.com/ics/support/default.asp?deptID=5816&task=knowledge&questionID=3190

2.2.3.385

GamesManager.exe

awesomium_process.exe_468:

.text

`.rdata

@.data

.rsrc

@.reloc

GetProcessWindowStation

C:\Users\developer\awesomium-1-7\chromium\src\build\Release\awesomium_process.pdb

KERNEL32.dll

awesomium.dll

GetCPInfo

3A4D4V4q4y4

mscoree.dll

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

KERNEL32.DLL

WUSER32.DLL

%Documents and Settings%\%current user%\Local Settings\Application Data\GamesManager\awesomium_process.exe

1.7.5.1

awesomium_process.exe

awesomium_process.exe_468_rwx_01C00000_00100000:

PVh%F